If you love online banking, shopping online or using apps on your mobile phone, you’re putting a lot of trust in an amazingly complex software ecosystem. You’re trusting this software with your finances, health care information and much more. When a company gets hacked, the reaction from the public is typically outrage. While it’s okay to blame them for mishandling vulnerabilities and breaches, we should recognize the overwhelming speed and complexity of modern information technology.

Let’s focus on one of the riskiest pieces of the ecosystem — the internet-facing web application. We’ll use the hypothetical BigBank as an example. BigBank.com is a typical online banking website that also includes all the application programming interfaces (APIs) used by mobile devices and other clients. Fundamentally, BigBank is actually a software company that does banking, with more developers than most technology firms. Nevertheless, BigBank only has about 15 people focused on application security, and they are responsible for securing the entire portfolio of thousands of apps like BigBank.com, the vast majority of which get no security attention. They are sitting ducks.

Every day, BigBank.com receives hundreds of thousands of requests from customers. Every time you click a link or submit a form, it pulls the data from your request, makes calculations, updates databases, checks the mainframe, sends messages and then finally sends the results back to your browser. BigBank.com receives hundreds of these requests simultaneously and processes them all through billions of paths through the code.

The complexity of BigBank.com is staggering — far beyond what a single developer could ever fully understand. It consists of almost two million lines of custom Java code and another 50 million lines of open source Java libraries. That’s much bigger than the size of the US Federal Tax “code” and at least as hard to parse. While some parts of BigBank.com are brand new, most of it is over a decade old. To stay secure, BigBank has to keep up with verifying all the code they produce, dealing with dozens of new open source vulnerabilities every week and handling novel attack techniques across their entire portfolio multiple times a year.

BigBank.com gets attacked hundreds of times every day. The vast majority of these attacks are seeking vulnerabilities called SQL injection, cross-site scripting and file path injection, which are all attempts to trick the bank into disclosing information, draining accounts or corrupting its data. In some cases, they are trying to completely take over the computer the bank runs on. Once that happens, attackers can gain full control of everything the computer knows and can do everything it can do.

The bad guys are constantly probing for chinks in BigBank.com’s armor. The problem is, BigBank.com doesn’t have any code to detect these attacks, so one can see them. Network protections like firewalls are useless because unless you really understood the code, you could never tell what requests are attacks. Companies like BigBank are put in an awful dilemma. Generally, attacks start within a day of vulnerability disclosure, but it takes many organizations months to figure out if they’re vulnerable, update the library, adapt their code, rebuild, retest both features and security and redeploy.

As a consumer, here’s what you can do to protect yourself:

1. Ask companies for details about what protections they use to protect your data. Ask whether they use encryption, strong authentication, runtime protection and other modern defenses. How do they detect attacks and prevent exploitation?