2600 - An oldie but a goodie. 2600 is not professional by any stretch but the technical content is generally top notch. They often go far off the beaten path as well with articles about hacking POS systems and HVAC systems.
Sla.ckers.org Full Disclosure Forum - The Slackers Full Disclosure forum has quickly become the place for disclosing vulnerabilities in web sites. The biggest thread is the Cross Site Scripting disclosure thread titled simply “So it begins”. If your company has a site on the web you should monitor this forum to try to get a little bit of a head start should a vulnerability be disclosed on a web site you are in charge of.
XSSed.com - Similar to the Slackers full disclosure list but focuses on XSS (Cross Site Scripting) One nice feature is you can sign up for alerts so if someone post an XSS vulnerability on a domain you own, you will get an email. Perhaps someone at Yahoo should sign up.
Full Disclosure List - Pretty much the bleeding edge of vulnerability disclosure. Traffic is decreasing as more and more 0 days go private. Still a good list to watch for when the few remaining good guys disclose.
BlackHat Security Conference - This conference has been around for a long time but still maintains a high speaker quality. You are guaranteed at least one major disclosure or media frenzy per show.
CanSec West - From our good brothers to the north. Great, technically focused content. Has lately become as good, perhaps slightly better than BlackHat in content, still lacks in the vendor sponsored party category though.
OWASP - Since I helped found it I have to plug it. I left a long time ago and those that have come since me have built a great resource for those interested in Web Application Security.
Security Catalyst - I just joined this forum a couple of months ago. This site stands out on this list because it is not technically focused but deals more with the challenges of being a security manager/engineer. Great resource for asking those nagging compliance questions.
Google Hacking Database - Google “hacking” has been around for a while but it still works quite well. Again if you have a web presence you need to be doing these searches on your domains before someone else does.
CGI Security - The mother ship of Web Application Security news and resources. Home of the XSS FAQ. I know it is in my blogroll but really who looks at that?
