While no doubt OWASP has earned the prestige of being the #1 AppSec resource, there are many other good information sources across the web that I have collected over the years that have been very helpful to me and to others whom I have shared with. I especially enjoy a blog that explains things simply and clearly while at the same time being technically correct. Below is a list of my favourite such resources. I am greatly appreciative to those who can reciprocate with their own list.

Blogs / General AppSec

Certificate Pinning

Cookie Security

CORS

Do you Really Know CORS? – The best description of CORS that I have seen

Cross Site Scripting

DOM-based XSS – The 3 Sinks – Best explanation of how writing untrusted data to document.location can lead to XSS

Cryptography

Deserialization

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability – Very insightful explanation to Java Deserialization vulnerabilities, how to identify them, and how to exploit them

DevSecOps

Http Security Headers

Input Validation

Validating Input – This is old, but is a classic. For more recent guidance, see the Martin Fowler website blog on The Basics of Web Application Security (linked above)

JWTs

Logging

Application Security Logging and Monitoring – The Next Frontier – Not only tells you what not to do, but also what to do

Mobile Security

OWASP Mobile Security Test Guide – Extensive and thorough, really helps to understand mobile security

Android WebView: Secure Coding Practices – Excellent guide on the dangers of Android WebViews and how to protect against various abuses

Oauth

An Illustrated Guide to OAuth and OpenID Connect – Most people want to dive into the technical details of Oauth before they really understand its purpose. Slow down, read this, and then you will have a better insight to the complex protocol

Passwords

PHP

Race Conditions

Server Side Request Forgery

SSL/TLS

SQL Injection