Here are the notes from my presentation at Refresh the Triangle in December 2007 on web application security.