You're not paranoid: The Internet is evolving so fast that no Web application stays static for long. Web 2.0, AJAX, RSS, blog software, CSS layouts, Google sitemaps, XHTML compliance...there's always a new technology to implement, a new feature to add, a new attack vector to be exploited. And as enterprises move applications from the desktop to the Web, IT is forced to defend an increasingly tangled environment, woven from a mix of internally and externally developed apps with frequently changing code that almost always contains security holes.
If this sounds familiar, consider deploying a Web application firewall, or WAF. This relatively new security tool is designed to pick up where network firewalls--which guard up to the transport layer of the TCP/IP stack--leave off. A WAF protects the application layer, using deep-packet inspection to guard against SQL injection, session hijacking, cross-site scripting, buffer overflows and other attacks.
WAFs are available as software and as appliances that plug into your network at a point where they can monitor traffic to and from Web servers. While building our comparative review of these products for "WAFs Blast Pernicious Payloads," page 41, we ran across a variety of deployment methodologies, with some products supporting multiple configurations.