The Web Application Security Consortium (WASC) is a professional organization dedicated to measuring risk in web applications, and educating people in all levels of web application involvement on those risks. If you just take a look at the Officers listing, you can tell it's a very all-star cast.
Here are a few of the resources on WASC I frequent:
- The WASC Threat Classification lists the common threats against web applications, although it is approached from a 100% black-box approach, so there are no generic fixes documented.
- Thanks to several of the vendors backing WASC, the Security Statistics section is very valuable when trying to put together high-level justification for a security program, or to measure improvement versus the "internet norm".
- The WASC Mailing List is quite active with Q and A, posts about security products, full disclosure, and discussion of specific attack vectors. If you prefer to just lurk, an RSS feed is available.
- If you're in the Bay area, WASC has frequent meetups, which you can't miss if you're watching the mailing list or the news links on the WASC.