The Internet is a network: the services built on top of it are what makes it special. The Internet allows messages to be exchanged via email, direct discussions to be held via forum protocols (most popular in the 1990s), and, of course, information to be viewed on the user’s screen due to the HTTP protocol. The primary reason that this protocol was developed is that it allows users to navigate from one piece of information to the next in no specific order, using hyperlinks – this is known as surfing.

To make navigating easier, the original IP addresses were replaced with names that are easier to remember. In practice, IP addresses still exist, but translation servers Domain Name Service (DNS) are used to perform the conversion.

Most websites begin with the famous three letters World Wide Web (WWW). This term encompasses all servers that provide information viewed through browsers, which are programs installed on user devices that allow webpages to be displayed.

The current version of the web dates back to the early 1990s. This is when the HTML format was invented for designing webpages. At the time, however, the concept of web application was not yet familiar.

In the late 1990s, the company Sun (which has since been acquired by Oracle) gave the first answer to this question by creating Java. Java is based on two building blocks: a programming language and an execution layer programmed specifically for each operating system.

Any program written in Java can be run on any platform with the execution layer, the Java Runtime Environment (JRE), without requiring the code to be recompiled. The main drawback is that the JRE must be installed on each computer that runs the application. The program itself must also be distributed to each user and installed on each computer. Clearly, this solution is not yet completely ideal.

Each computer has its own operating system (Windows, Linux, or IOS in this example). One specific program, the browser, is installed on each device: it can display any page returned by a website. If this page is created dynamically, that is to say, if it is recalculated by the website server each time that it is requested to adapt it to each request submitted by the user, we describe it as a web application. In this case, the server generates pages using a suitable language.

Historically, PHP was one of the first languages to be used, but since then, there have been others, such as Python and Java.

In the early 2000s, HTML could not rival the performance of programs written specifically for each operating system, or developed in Java (or other languages working according to similar principles).

Since then, it has vastly improved (we are currently using version 5), and we can now program actions to execute directly in the browser, for example by using the JavaScript language. Note that JavaScript has nothing to with Java, except for a certain similarity in the syntax and in the name.

Today, applications written using web technologies are no longer inferior to those developed specifically for a given operating system in most respects. They can be executed in the browser, regardless of the system that drives the browser, and boast a wide range of features.

However, one problem was soon discovered: the technologies that allow computers to communicate, which are sometimes described as the network layer, were not designed to be secure. The original designers mainly focused on the reliability of transmissions: the primary objective was to ensure that the messages exchanged between computers arrive safely at their destinations. At the time, very few people cared about guaranteeing confidentiality, and computers were not yet powerful enough to offer real-time encryption in the form that we are familiar with today.

Although this is generally not too much of a problem when viewing general information, it becomes an issue when updating databases, operating machinery and paying taxes: some level of confidentiality is necessary for these tasks. Today’s web only works because it relies on trust.

For example, when we buy a product from a website, we must first trust the seller: we trust that the product that they are offering is available, and we trust that it will be delivered. The seller also needs to be sure that the delivery address given by the customer cannot be modified, etc. As for the payment, providing the credit card number is always tricky: the seller, or the bank acting as an intermediary for the seller, must guarantee both the confidentiality of the exchange and the security of the collected data.

This trust is an essential concept: although it was not fully necessary in primitive societies (as everybody could keep an eye on the whole community), this is no longer true today, since we need to conduct trades without knowing the other party personally. The need for security when interacting with others is indispensable, and relies not just on legal protective measures and regulations (the fact that companies must register on the Trade Registry, the risks involved with fraud, etc.), but also on the security processes in place to ensure that a third party cannot interfere with an interaction.

To close the security gaps (everything is open and accessible by default), a number of technical solutions have been implemented to provide secure access to servers, encrypt connections, and ensure that data cannot be intercepted.

It has also proven necessary to protect users themselves from information theft: if no special precautions are taken, a program provided by a server can easily access data on the user’s computer and steal information.

To counter this, browser publishers have implemented a large array of security measures, for example by preventing webpages from accessing information on the user’s computer. This is the main limitation of web applications: they are forbidden from interacting directly with the device.

Smartphones and tablets can circumvent this limitation, at the cost of requiring the application to be specially encapsulated. Today, these devices have a wide range of features, such as GPSes, cameras, accelerometers (which record movements and are, in particular, used to automatically rotate the screen), etc. To create an application that exploits these features using web technologies, multiple different languages are used, such as HTML, to prepare the displayed pages, and JavaScript, to manage the interactions with the device. The pages (the program) thus created are then encapsulated with special tools that make them usable. In this phase, access rights are granted to the finished application, which requests access to the hardware. To install these programs, virtual stores hosted by the operating system publishers (Google Play Store for Android, for example) act as an intermediate step, guaranteeing that the programs do not contain any malicious code that might compromise the system security.

Furthermore, many modern attacks work by taking control of one computer, which is then used as a springboard to assault other devices until, step by step, a server containing confidential information is reached.

While it is relatively natural to remember to secure an open web application downloaded from the Internet, it also makes sense to do the same for software that was not necessarily designed to be deployed outside of the company setting. Indeed, if, for whatever reason, it is made available at a later point in time, doing so will require fewer modifications, which will usually be limited to configuring the required network infrastructure. If security is not integrated into the design from the beginning, it will be much more complicated to implement later, and the effort required to develop additional protection modules can quickly become prohibitive.