Other Resources You Should Use: WASC

The Web Application Security Consortium (WASC) is a professional organization dedicated to measuring risk in web applications, and educating people in all levels of web application involvement on those risks. If you just take a look at the Officers listing, you can tell it's a very all-star cast.

Here are a few of the resources on WASC I frequent:

• The WASC Threat Classification lists the common threats against web applications, although it is approached from a 100% black-box approach, so there are no generic fixes documented.
• Thanks to several of the vendors backing WASC, the Security Statistics section is very valuable when trying to put together high-level justification for a security program, or to measure improvement versus the "internet norm".
• The WASC Mailing List is quite active with Q and A, posts about security products, full disclosure, and discussion of specific attack vectors. If you prefer to just lurk, an RSS feed is available.
• If you're in the Bay area, WASC has frequent meetups, which you can't miss if you're watching the mailing list or the news links on the WASC.

For the statistics alone, WASC is worth a pretty frequent visit. Because of vendor participation, (most notably WhiteHat Security), there are really good metrics that you can refer to for comparing measurements.