This paper should be required reading for anyone developing, deploying, or administering web applications.
It's also interesting to read the perspective of the folks operating the compromised webapp (details are in the section titled "Digital Vote-By-Mail" on pages 34 to 38).