Dear Master Monks,
What techiques and tools do you employ when testing your wep applications for security?

I am currently researching techniques/tests for securing an application we are working on (which I think can be applied to any language, and not just Perl) and I think I have found the Top Ten most common methods of breaching security, as listed by the Open Web Application Security Project, namely:

1. Unvalidated Input
2. Broken Access Control
3. Broken Authentication and Session Management
4. Cross Site Scripting (XSS) Flaws
5. Buffer Overflows
6. Injection Flaws
7. Improper Error Handling
8. Insecure Storage
9. Denial of Service
10. Insecure Configuration Management

A few of my random thoughts:

• A lot of big names (bottom of page) use the Top Ten
• The OWASPs Guide looks pretty concise at 293 pages
• I wonder if these tests have to be site specific, or could they be generalised to test a host of sites, and turned into a tool? (No malicious use indended)
• Should nmap and Nessus be in the tool list? I think the are part of the whole approach, but not really geared towards your code.
• There is also the paid for Security Services of Netcraft's audit, amoung others.
• The Open Web Application Security Projects AppSec FAQ looks very helpful too, as well as a few pointers related to PHP (which I think can be applied to any code).
• Have I missed any tools on the CPAN?
• Should I adhere to the ISO 17799 standard?

There are a few techniques listed in An Introduction to Security Testing with Open Source Tools, but I am pretty sure most of you must have been involved with doing this at some stage, and could give me some pointers?

So, my parting question is, "Where do I start?"

Thanks
Gavin.