Although not a bad book as such I found it to be annoying. Thats because the subtitle “A guide to securing modern web applications” lies. It is not a book for developers.
I disliked the long-winded descriptions and the authors know-it-all tone. Among all those details the book only hints on the attack scenarios themselves and does not provide a developer with much information on how to protect against them.
Zalewski's clear, often humorous, always broad and superbly documented "archaeology" of the web had a sanitizing effect on my understanding that standard security books do not provide. As he walks you down and around the paths, decisions, insights and mistakes (and mistakes and mistakes and mistakes) that made the web so tangled, he not only provides much useful information on, and "an attitude" towards security, but may in fact untangle a web-tangled understanding of somewhat confusing issues. To top it all, it's a great read - I hardly felt I was reading something so technical. Very recommended.