Informal, ad hoc survey of web app/server security issues: audit checklists, best practices, standards, including design, implementation, and security assessment (but not policies so much). (April, 2011)

Audit checklists:

Vulnerabilities of web apps and web server systems, some infrastructure vulnerabilities, and some controls: not exhaustive. Some overlap between areas/names.

By organization:

less useful for my needs: