I have long been of the opinion that the time and resources it would take to write a piece of malicious software, of whatever type, could better be spent on other things. However, as a developer I am constantly worried about the possible security flaws in systems I work on.

Of course I know about validating input, I understand fully how code and sql injection can work and obsessively sanitise against these risks. Also, whenever I am able, I bone up on new security risks with whatever resources are to hand (e.g. articles, whitepapers, presentations etc.) but I often feel I’m missing the point, maybe because most of my knowledge could well be classed as ‘new-fangled’ (C#, MSSQL, PHP, some Python, a smattering of Ruby): the oldest language I know is Classic ASP.

Sometimes when I read about things like Cross Site Scripting and URL hijacking I read the articles upon which they are based but I feel like I’m not following 100%.

What are the best resources you know to get to grips with security concerns and really understand how they work? Could be anything, books, websites, other types of resource. I know I don’t know enough about these issues so where could I go to learn more?