[tptacek]

The Web App Hacker's Handbook is the gold standard for web security books.

The Tangled Web is a good primer on browser security, which is a deeper topic.

The OWASP Top 10 is worth knowing because it's a widely recognized metric, but OWASP itself is not an especially great resource.

[dsacco]

To add some color to this great suggestion - The Web Application Hacker's Handbook is a better resource for learning to break web applications than for learning to build them properly. It will teach you every about almost every vulnerability that can be classified and how to find it.

The Tangled Web is better for learning the underlying causes of various issues presented in the former book and for learning how to prevent them. It has excellent, practical checklists at the end of every chapter for anyone building an application.

[falcolas]

Understanding how to hack something is (arguably the most) important knowledge for a securing that something. If you don't know how it can break, how can you fix it?

[JoachimSchipper]

If you don't know that something can break, it's hard to get it right. But I have many colleagues who've never exploited a buffer overflow, but who still do a fine job of counting their bytes. High code quality and coding patterns that reduce mistakes are really important; knowing a little about exploitation is useful to judge impact and to design anti-exploit defenses, but don't overestimate the impact - defenders' time is often better spent elsewhere. (Of course, hacking is sexy.)

(I write high-security software. )

[tptacek]

He doesn't disagree with you; he's a professional pentester.

[exceptione]

The Web Application Hacker's Handbook does get quite some bad reviews though on Amazon. The book seems to rely on the commercial offerings of the author, like the Blurp software and online material for which he charges by the hour.

[tptacek]

Ignore those reviews. In reality, Burp is to web application security what Photoshop is to graphic design. There are alternatives, and people do use them, but if they do it's because they already know how to do the job.

Burp is the industry standard. It's also a criminally underrated dev tool. If you're getting paid to build web applications, you should own a license.

[wglb]

I think the reviews are off the mark, as you can go a substantial distance with the free version of burp, and none of the material strictly depends on burp--any intercepting proxy will do.

Similarly, the online stuff is totally optional, and none of the master WAHH crafstmen I know have needed that in the slightest.

It is pretty clear in reading those reviews that a person can, with no investment of time or effort, write bad reviews about anything.

It takes effort and energy to get the most out of WAHH, and you can do it without spending an additional dime.

[exceptione]

Thanks for clearing that up!

[phaus]

The online material is a virtual lab where you can test out the things you learn in the book by breaking actual web applications. Technical books on niche subjects rarely leave the authors rolling in money, so it would be pretty silly to expect the labs to be free.

If you are too cheap to spend $7 an hour, you can set up a vulnerable VM and accomplish the same thing for free.

[tptacek]

We told Matasano candidates to do this, and how to do it and what to run, and it seemed to work pretty well for people.

[jradd]

In addition to Web App Hacker's Handbook, I would like to recommend "Gray Hat Hacking The Ethical Handbook" (3rd or 4th Ed.) Focuses on the attack and defense in equal light.