Top 10 2007-References

OWASP Projects
OWASP is the premier site for web application security. The OWASP site hosts many Category:OWASP_Project projects, forums, blogs, presentations, tools, and papers. OWASP hosts two major web application security conferences per year, and has over 80 local chapters.

The following OWASP projects are most likely to be useful:


 * OWASP Guide to Building Secure Web Applications
 * OWASP Testing Guide
 * OWASP Code Review Project (in development)
 * OWASP PHP Project (in development)
 * OWASP Java Project
 * OWASP .NET Project

Books
By necessity, this is not an exhaustive list. Use these references to find the appropriate area in your local bookstore and pick a few titles (including potentially one or more of the following) that suit your needs:


 * [ALS1] Alshanetsky, I. “php|architect's Guide to PHP Security”, ISBN 0973862106
 * [BAI1] Baier, D., “Developing more secure ASP.NET 2.0 Applications”, ISBN 978-0-7356-2331-6
 * [GAL1] Gallagher T., Landauer L., Jeffries B., "Hunting Security Bugs", Microsoft Press, ISBN 073562187X
 * [GRO1] Fogie, Grossman, Hansen, Rager, “Cross Site Scripting Attacks: XSS Exploits and Defense”, ISBN 1597491543
 * [HOW1] Howard M., Lipner S., "The Security Development Lifecycle", Microsoft Press, ISBN 0735622140
 * [SCH1 Schneier B., “Practical Cryptography”, Wiley, ISBN 047122894X
 * [SHI1] Shiflett, C., “Essential PHP Security”, ISBN 059600656X
 * [WYS1] Wysopal et al, The Art of Software Security Testing: Identifying Software Security Flaws, ISBN 0321304861

Web Sites

 * OWASP, http://www.owasp.org
 * MITRE, Common Weakness Enumeration – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html
 * Web Application Security Consortium, http://www.webappsec.org/
 * SANS Top 20, http://www.sans.org/top20/
 * PCI Security Standards Council, publishers of the PCI standards, relevant to all organizations processing or holding credit card data, https://www.pcisecuritystandards.org/
 * PCI DSS v1.1, https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
 * Build Security In, US CERT, https://buildsecurityin.us-cert.gov/daisy/bsi/home.html