OWASP

Open WebApp Security Project

http://www.owasp.org/index.jsp

has "Guide to Building Secure Web Applications"

has a Top-10 list of vulnerabilities

  • I posted a question to the Zope list about it... looks like you get most of that for free.

XSS/Cross Site Scripting http://ha.ckers.org/xss.html

  • Aug'2007 rules for parsing

  • Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!

Some Jeff Atwood pieces on web security

  • some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
  • consider using OpenID.
  • Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.

Albert Wenger notes how much risk comes from outside your webapp. In particular hosted email and DNS have proven to be big holes.


Edited: |

blog comments powered by Disqus