has "Guide to Building Secure Web Applications"
Aug'2007 rules for parsing
Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!
Some Jeff Atwood pieces on web security
- some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
- consider using OpenID.
- Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.