As more and more sensitive information is entering web based applications, and thus are available through a web browser, securing these systems is of increasing importance. A software system accessible through the web is continuously exposed to threats, and is accessible to anyone who would like to attempt a break-in. These systems can not rely on only external measures like separate network zones and firewalls for security. Symantecs1 Internet Security Threat Report [34] is published every six months. Main findings in the last one published prove that there is an increase in threats to confidential information and more attacks aimed at web applications. Almost 48 percent of all vulnerabilities documented the last six months of 2004 were vulnerabilities in web applications. Security principles that one should pay attention to developing web applications do exist. This report have taken a look at existing guidelines, and provided an independent guide to developing secure web applications. These guidelines will be published at the homepage of The Centre for Information Security2 (SIS), www.norsis.no. The report also describes how a web application has been developed using the provided security guidelines as reference points. Relevant vulnerabilities and threats were identified and described. Misuse cases have related the various threats to specific system functionality, and a risk analysis ranks the threats in order to see which ones are most urgent. During the design phase, the application areas exposed to threats with a high rank from the risk analysis, have been at center of attention. This is also the case in the implementation phase, where countermeasures to some of these threats are provided on the Java platform. The implemented solutions can be adapted by others developing applications on this platform. The report comes to the conclusion, that the use of security guidelines throughout the entire development process is useful when developing a secure system. 1Symantec works with information security providing software, appliances and services designed to secure and manage IT infrastructures [33]. 2The Centre for Information Security (SIS) is responsible for coordinating activities related to Information and Communications Technology (ICT) security in Norway. The centre receives reports about security related incidents from companies and departments, and is working on obtaining an overall impression of threats towards Norwegian ICT systems [30].