I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft. The Web sec book says on p 36:
STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities... instead, the purpose of STRIDE is only to classify vulnerabilities according to their potential effects. This is immensely useful information to have when threat modeling an application...
To see my critique of STRIDE, please see my linked post. Basically, STRIDE is best describe as "bad stuff," and includes a mix of attacks and vulnerabilities with no real "threats."
Nevertheless, if you're looking for a compact and detail-packed exploration of Web application security, take a look at Web Application Security: A Beginner's Guide.
By the way, I've written alot about confusing terms like "threat," "vulnerability," "risk," etc. over the years. One of my earliest posts provides background -- The Dynamic Duo Discuss Digital Risk if you are so inclined.