There's also work happening across the browser industry to improve security for all, Barnes says. For example, a universal encryption method is under development, and browser makers are giving users more awareness of and control over what the Web knows about them, he says.
Help from a standards body is on the way as well. The World Wide Web Consortium, which has overseen the development of HTML5, has its Content Security Policy specification proposal, which W3C Domain Lead Wendy Seltzer says offers a policy language for Web authors to restrict active content on their sites, protecting against script injections. There's also the Secure Content specification effort to ensure that powerful Web features only operate in secure, authenticated contexts.
Ultimately, however, apps need to assure security, whether they run in a browser or in an OS. Prevoty's Bellanger recommends that developers adopt Microsoft's secure development lifecycle guidance to strengthen applications against breaches. "It's still the developer's responsibility to build the application as securely as possible," he says.
Sign up for CIO Asia eNewsletters.