Web security is obviously
a very important issue. Unfortunately, this topic is not generally covered in
most web development classes or books and the average web designer/web developer/webmaster
without a formal computer science background may not be aware of what they need
to know. Most information out there seems to target network administrators or
focuses too much on the technical aspects of cryptography. A lot of information
is also out of date. Drawing on my own experience as a webmaster, I have tried
to assemble security information for the beginning/intermediate level web professional who works for a small to medium web site. Much of the information is still relevant for larger web sites, but aside from typically having more specialized staff, they may use web services (SOAP, XML,etc.) which have more involved security problems. The realm of the wireless web also opens up a different set of concerns, which are mostly beyond the scope of this paper.
DISCLAIMER: It should be noted that this guide is by no means meant to be comprehensive, but merely a jumping off point for resources to find out more. So don't sue me if you read this and still get your web site hacked into!
The FAQ's on the w3.org and OWASP site (see articles) are probably the single best resources for quick questions. Out of the books, O'Reilly's is probably the most complete and the online class at IWA looks like a good way to get an in-depth overview.
