Just a quick post to let you know about an excellent security policy resource I have found.  Mozilla have published a set of  Web Application Security Guidelines.   This is an excellent document.  If you are a developer then you should be familiar with all of these issues and should use this as a check list.  If you manage a web development team then you should consider building this into your in house standards.  Finally if you are a business person who commissions web development projects then I suggest that you seriously consider making compliance with this set of guidelines mandatory the next time you give a developer a contract.