Application security ought to be automatic for all developers, but too often it becomes secondary to meeting frantic deadlines and making the customer happy. After all, clients do not see security, but they do see that the submit button is 3 pixels too small.

Writing more-secure code is not hard. It just requires a bit of thought, and the use of standard functionality and libraries, regardless of the language used. No application is 100% secure since the security landscape changes too quickly. I believe we can write more-secure applications, which are designed to make it easier to adapt to new vulnerabilities and approaches to security.

To start with, listed below are web application security resources I consult often. This list may grow.

Resources

OWASP Top Ten Project
OWAP is the go-to spot for web application security. Their top 10 list of security issues was updated in 2013, from the previous 2010 version.
Jason Dean's Blog
Jason wrote a very good series of entries on application security.
Pete Freitag's Blog
Pete often writes about security topics related to ColdFusion.