porque é que a segurança das aplicações web é diferente

interessante:

Bulding A Web Application Security Program: Part 3, Why Web Applications Are Different
no blog Securosis

a lista das razões:
Custom code equals custom vulnerabilities
You are the vendor
Firewalls/shielding alone can’t protect web applications
Eternal Beta Cycles
Reliance on frameworks/platforms
Heritage (legacy) code
Dynamic content
New vulnerability classes