Just saw this "A Guide to Building Secure Web Applications, Version 1.1" on slashdot. You might want to wait a little while before looking at it... it' probably getting /.'ed right now. http://www.owasp.org/guide/ -dc