Open WebApp Security Project http://www.owasp.org/

has Top-10 list of vulnerabilities

• 2005: I posted a question to the Zope list about it... looks like you get most of that for free.
  • someone else asked specifically about Sql Injection the same day.

has serverless top-10

older notes

XSS/Cross Site Scripting http://ha.ckers.org/xss.html

• Aug'2007 rules for parsing
• Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!

Some Jeff Atwood pieces on web security

• some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
• consider using OpenID.
• Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.

2013: Albert Wenger notes how much risk comes from outside your webapp. In particular hosted email and DNS have proven to be big holes.