Blogger Mike Sutton posted a very, concise list of things to look out for in terms of security and web applications:

Top 10 Signs You Have an Insecure Web App

As I mentioned - the canceled CFJUG meeting this month was going to discuss just this. I'm thinking of rescheduling it for the 29th now, and will post when that is confirmed.