has Top-10 list of vulnerabilities
- 2005: I posted a question to the Zope list about it... looks like you get most of that for free.
- Aug'2007 rules for parsing
- Sept'2007 filtering and escaping cheat sheet - see the Comments to discover how little agreement there is on these things!
Some Jeff Atwood pieces on web security
- some basics - don't store plaintext passwords, don't use MD5 (and probably not SHA1), use a salt, etc.
- consider using OpenID.
- Use BCrypt or PBKDF2 exclusively to hash anything you need to be secure.