Current State of Web Applications
Web sites used to be only sites. Communications no longer are one-way from server to browser. There is a constant need in many mediums for authentication and authorization, and the threats now span beyond just website defacement.
Now there are web applications that may be described as applications accessed via a browser that communicates to a web server. Communication can often persist in a two-way manner spanning beyond a single request. Sessions now must be recorded and dynamic content or even sensitive information may be provided. With this, security has become a must.
Foremost, many of these connections work via HTTP, which is connectionless and can be proxied or tunneled. To supplement this, client-side scripting is commonly used for both providing functionality and for reducing server load requirements.
Some considerations within today's current state of web applications are sensitive data leaks, unrestricted backend access, and even denial of service.
Many websites cite that they are protected by SSL and demonstrate their added security measures through compliance standards like PCI DSS. These are not perfect though, and many of these same websites may still have broken authentication, broken access controls, or vulnerabilities to SQLi (SQL Injection) / XSS (Cross-Site Scripting) / CSRF (Cross-Site Request Forgery).
Overall, one main issue that website administrators must understand is that users can be malicious and they can send whatever whenever to any server with an open port. This is especially important, as most all the previously lists vulnerabilities are prevalent and not protected by SSL, which really only protects data in transit. So, by simply altering anything sent to the server (such as parameters, headers, and cookies), malicious users may negatively impact any business or organization.