OWASP
http://www.owasp.org/index.jsp
has "Guide to Building Secure Web Applications"
has a Top-10 list of vulnerabilities
-
I posted a question to the Zope list about it... looks like you get most of that for free.
- someone else asked specifically about Sql Injection the same day.
XSS/Cross Site Scripting http://ha.ckers.org/xss.html
-
Aug'2007 rules for parsing
-
Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!
Some Jeff Atwood pieces on web security
- some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
- consider using OpenID.
- Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.
Albert Wenger notes how much risk comes from outside your webapp. In particular hosted email and DNS have proven to be big holes.
Edited: | Tweet this!