Mike Andrews gave a long but light talk at Google, "How to Break Web Software".
It is a nice overview of a lot of Web development security issues. It is good for a refresher if you've seen all this before and should be required watching for any web developer that hasn't.
The advice basically comes down to one thing: Never trust the client.
Whether it is form input, URLs, cookies, or XML from AJAX apps, always assume that anything that anything from the web browser needs to be validated, filtered, and verified.
Mike expected web security issues to get worse with increased use of AJAX, both because it moves more processing out to untrusted clients and because there is a lot more data flying back and forth between client and server.