I already had some security background but in the last few days I’ve learned a LOT! The reason I stopped learning about security the last time I got interested (years ago) was because it was so overwhelming. There is no way to win. If someone wants into your site badly enough, they can get in. However, there are also tons of easy ways in (listed on hacker websites for any 12 year old with a computer to try out) that are often overlooked. I knew about a lot of those but I’m discovering that was just the tip of the iceberg.
I found a program today at http://www.acunetix.com/ that scans your site and reports on vulnerabilities. The full version is extremely comprehensive and seems well worth the money. Unfortunately, they want a lot of it! $1500 for a single site licence, $3500 for developers/designers.
They also have a FREE version that only checks for Cross Site Scripting (XSS) vulnerabilities. I ran that just to check out the software and it said my ecommerce site was secure. HOWEVER, it found a whois script I had forgotten I had even written on my main site that was insecure. Thanks to that program, and a few quick htmlentities() around some POST variables and the program reported that the vulnerability was corrected.