These days we mostly send The Web Application's Hacker's Handbook and a link to microcorruption. (We do somehow get candidates which haven't heard of microcorruption.) Generally, we continue to endorse Tom's Amazon reading list: http://www.amazon.com/An-Application-Security-Reading-List/l...