Open WebApp Security Project http://www.owasp.org/

has Top-10 list of vulnerabilities

  • 2005: I posted a question to the Zope list about it... looks like you get most of that for free.

has serverless top-10

older notes

XSS/Cross Site Scripting http://ha.ckers.org/xss.html

  • Aug'2007 rules for parsing
  • Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!

Some Jeff Atwood pieces on web security

  • some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
  • consider using OpenID.
  • Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.

2013: Albert Wenger notes how much risk comes from outside your webapp. In particular hosted email and DNS have proven to be big holes.

Edited:    |       |    Search Twitter for discussion