There is an awful lot of custom written web applications out there today. Some shopping carts used on web sites selling goods comes to mind readily. If you look at any of the computer security sites listing exploits then this is not exactly news to you. It is very important to have the custom written web application tested thoroughly before it is deployed, and facing the Internet. You can do this on the cheap by using one of the commercial web application scanners, or go for a professional pen-tester. Depending on your budget go with the one that suits your needs best. Remember though, I would continue to have your web application tested regularly, perhaps once yearly. After all, new exploits are developed all the time.