The last few days I’ve been reading through the first beta of the OWASP Guide to Building Secure Web Applications, trying to find time to submit my comments and corrections. Aside from a section on “scripting” languages that I think is pretty harsh, it’s shaping up into something very good. There’s a large section on phishing that surprised me: I hadn’t considered what I could do as a developer to reduce the likelihood of phishing, beyond user education (which seems hopeless). Good stuff.