The 80/20 Rule for Web Application Security
The 80/20 Rule for Web Application Security / Jeremiah Grossman
http://www.webappsec.org/articles/013105.html
追記: cookie の httpOnly flag というのは始めてしった。MSIEだけでなく、Mozilla/Firefox、Konquerorもサポートしているようだ。
http://seclists.org/lists/webappsec/2004/Jul-Sep/0415.html
END-TO-END ARGUMENTS IN SYSTEM DESIGN
END-TO-END ARGUMENTS IN SYSTEM DESIGN / J.H. Saltzer, D.P. Reed and D.D. Clark
http://www.reed.com/Papers/EndtoEnd.html