Open WebApp Security Project http://www.owasp.org/
has Top-10 list of vulnerabilities
- 2005: I posted a question to the Zope list about it... looks like you get most of that for free.
- someone else asked specifically about Sql Injection the same day.
has serverless top-10
XSS/Cross Site Scripting http://ha.ckers.org/xss.html
- Aug'2007 rules for parsing
- Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!
Some Jeff Atwood pieces on web security
- some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
- consider using OpenID.
- Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.
2013: Albert Wenger notes how much risk comes from outside your webapp. In particular hosted email and DNS have proven to be big holes.
Edited: | Tweet this! | Search Twitter for discussion