2:15 PM -- If you haven't noticed, applications are getting more complicated. Things aren't as isolated as many people think they are -- Websites aren't just applications that touch Port 80 anymore. And the environment is becoming more complex every day.
Let's take a few examples. The first and most common is Webmail. Services like Hotmail, Yahoo Mail, and Gmail all have taken a technology that typically has nothing to do with Websites (email) and turned it into a Web application. Thankfully, Webmail is a well understood problem for most major companies -- but there are many applications that use email.
For example, there are many applications that alert users that something has changed. Email alerts, e-cards and send-to-a-friend functions all have interesting applications when you consider how they function with the Web. However, attackers also are successfully using these functions to send out spam.
Another interesting out-of-band function is File Transfer Protocol (FTP). Several years ago, Apache's Website was hacked via FTP -- attackers uploaded files to directories that the Web server could see. The Web server ran the file, which was actually a CGI script. The CGI script ran as the Web user, and gave the attackers access to the Website.
We can no longer think of Web applications as being stand-alone. They are far too complex now. Today's apps are not autonomous, and building threat models that exclude the vulnerabilities introduced by out-of-band services is a dangerous practice.