Security in web application is important considering the fact all the interactions passes though the public networks. Also security is something which should be looked from the perspective of risk management. There are no fool proof solutions. It's just that the more secure we want our application, the more security levels we need to apply which in turn means more resources to be applied in terms of money and resources and which also means reduction in performance of the application.
So define the level of security needed by the application before venturing in to find a solution. A newspaper site using double level of encryption to send the data across the wire is a overkill but a banking site just depending on credentials authentication but sending the data with a weak encryption is an invitation to hackers. It's also important from the perspective of the justifiable investment of resources on the security aspect. Also make sure the customer is in synch with the perception of security carried by the development team.
The two most important security aspects apart from others which can be looked into http://www.owasp.org/ site are:
- Authentication and authorization - Which basically means that the protected resources can be accessed only with the right credentials.
- Transport layer security - To what level the data should be encrypted when it is travelling on the wire. May be it does not even require encryption for that.
The other approach to identify the security levels needed is to understand the ramifications, in case a security breach happens and than to understand the trade offs there.
Also another aspect of robust security solutions is to adopt a holistic approach to the security solutions. The application has credentials handling system and 256 bit transport encryption but the end user has unknowingly installed a key logging software and everything goes for a toss. There is a classic saying that the strength of a chain is its weakest link. And security requires not only implementing it in code layer but making the end users aware of other aspects of security. If someone has a tendency to put his username and passwords on the back if cigarette packet no one can save him, certainly not your 512 bit encryption. This should be a good motivation to leave smoking.
To sum up, the approach to the aspect of security should be holistic and understanding the right level. If you will talk to a security vendor, I am sure he/she will convince you that the holocaust is tomorrow.
Top ten security issues in web applicatin http://www.owasp.org/