Just to help keep you learning about this stuff, here is what sounds to be a really great SANS webcast on XSS and CSRF "taking over the world". Seriously, you have to hear stuff like this one. If it is anything like what it sounds like it will be, it will be worth it to have the pants scared off you. Yeah, sure, watch it nowhere near coworkers then...it is rough to pick up your pants around them and have to explain your being scared.
But seriously, the whole battle is to keep yourself educated and acting on what you learn. I am telling people "CSRF is scary and should be taken seriously". It is #5 on the OWASP Top 10 Risks for 2010, but for me it is #3, behind XSS then SQLi. And I know, I switched XSS to #1. Injection is a huge risk, but XSS is the foundation behind all these crazy attacks. Stop XSS and a boatload of attacks are stopped.
In a New England GiveCamp talk I gave to developers and non-profits over the weekend, one attendee asked about how to stop the attack where they drop off mini VNC on your machine. I have to reiterate here -- I don't care what they drop off and I don't stay on top of what the flavors of attack are. It is irrelevant, frankly. The question was a good one, and I'm not in any way knocking his train of thought. But step back for a sec and see that these dangerous things are being left on our sites through an open door. Stop XSS and they can't do that anymore. We have to stop looking at who is knocking on the door and trying to figure out if they are a good guy or bad guy. Stop XSS and deny whatever isn't whitelisted on your site. Be a good maitre d' and only allow in those folks on the list, whether during input validation or some other function of input.
Speaking of GiveCamp (#negc2010 on Twitter), it was a very rewarding and satisfying experience as a web developer. But I have to admit I was disappointed in the turnout to my talk. Granted, people were cranking on Saturday morning at 9 am...but take 30-40 min to hear about web security, right? Out of the 150 or so people there, I had I think 10. I didn't count but it was around that. Security just isn't given the nod it needs to have, and we will continue to code crappy software. That being said, I know the folks on one team and they are security-conscious and really didn't need to go. But how many others built sites that fall short?
All I know is I better not hear excuses...