Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought.
Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex
The next big buzzword is going to be Rich Internet Applications (RIA) even if you don't like it. We haven't seen the end of thick client side applications as Microsoft (in WPF .NET 3.0), mozilla's (XUL) and Adobe (Flex) are going to show us. These RIA applications are going to change the way we use the web there's no doubt, and I'm not just jumping on the hype wagon early. Users will begin to see these applications appear, get used to them and expect them to some extent. RIA is the next AJAX (Double meaning implied :).
XSS, Phishing and Worms will continue
Cross site scripting isn't going away and as a matter of fact is only becoming more and more useful. Worms crossing over to handheld devices wouldn't be surprising. Even worms borrowing CPU cycles to perform a task in a similar fashion to applications like SETI and distributed.net wouldn't be to surprising. Attacking larger communities involving banking transactions with both phishing and XSS utilizing CSRF will begin which is a nice segway to my next prediction.
Cross Site Request Forgery Will emerge
CSRF is in its infancy and is now what XSS was 4 years ago. The power of Cross Site Request Forgery will become apparent once the first site exploited for financial gain reaches the media. Once money theft becomes involved expect regulatory changes including possible compliance guideline changes. Frankly I'm beyond surprised that a web worm hasn't taken advantage of this already.
Web Feed Exploits
I gave a talk last year at blackhat about rss and atom feed vulnerabilities and included it in my list of 2006 predictions (so I had a little inside knowledge big whoop :). Since that talk multiple advisories have been published and people are slowly starting to catch onto the things that you can do with Web Feeds including how they are used. Expect more from this area as well as a potential worm.
The Browser History Theft Business
As I spoke about previously it is possible for a marketer/attacker/person to identify which websites that you've visited, how you got there, and which pages you visited on that website by exploiting functionality in CSS. This can be used by phishers to see which sites you frequent to identify which website they should be phishing next. Expect to hear more about this in the upcoming year. Read this post for more information on what can be done.