There's a lot of good advice here. I'll limit this post to how I learnt. I'd never really read any articles before starting out on my own. For me it was mainly curiosity. I was writing code with a bunch of guys at school, and one of the guys wanted to protect his data (on a shared data store), so he implemented his own encryption scheme. I didn't know anything about encryption, but had access to his source code, so studied his algorithm and managed to build a decoder.
After that I started studying my own programs to see if there were any obvious patterns that someone else could guess. This was before the days of CGI on the web.
My curiosity continued when CGI was growing and I learnt first how to fool a guest counter, and then how to build a more secure one. I started learning peel and read all the man pages. There was a lot of stuff in there that was like "don't do this because it's insecure". To that end I owe a lot to Larry, Randall, and Tom.
What I learnt from there helped me protect myself against XSS attacks, but also taught me what to look for without needing the source. It wa a while before I heard about CSRF attacks. At this point I was interested enough to see what OWASP listed as the top exploits and did some studies on each of them.
At no point have I ever used what I know for malicious purposes.
After that I started studying my own programs to see if there were any obvious patterns that someone else could guess. This was before the days of CGI on the web.
My curiosity continued when CGI was growing and I learnt first how to fool a guest counter, and then how to build a more secure one. I started learning peel and read all the man pages. There was a lot of stuff in there that was like "don't do this because it's insecure". To that end I owe a lot to Larry, Randall, and Tom.
What I learnt from there helped me protect myself against XSS attacks, but also taught me what to look for without needing the source. It wa a while before I heard about CSRF attacks. At this point I was interested enough to see what OWASP listed as the top exploits and did some studies on each of them.
At no point have I ever used what I know for malicious purposes.