Several weeks ago Joris Evers (CNET) hosted a web security podcast with Danny Allan (Watchfire), Jeremiah Grossman (WhiteHat Security), and Michael Sutton (SPI Dynamics). The question revolved around comparing old vs. new. Microsoft vs. Google/Yahoo, desktop security vs. web security, and traditional attacks vs. Web 2.0 attacks. Basically are the problems the same as always or are we dealing with brand new threats?
For my part I think the best practices are the same ol' input validation issues we've always had. Attacks like XSS, CSRF, and SQL Injection are certainly unique. Also what's different is the scale of the problem and its potential impact. At no time in history has software (web applications) been available 1 billion people.