Preparing some curricula on web security

Among the other cool things I'm doing this summer is working as a teaching assistant for 1.5 days worth of tutorials on the subject of web security. This is part of my national research group's "summer school" program where we try to give our graduate students more background into other areas of security. I'm working up a list of potential topics so we can get our teaching materials together.

So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?

Here's my brainstorming list, to be updated as new things occur to me:

Attacks

• Overview of the OWASP top 10 / WASC threat classification
  
• XSS (incl. filter evasion techniques and a variety of ways to use XSS for defacement through to more subtle modifications, password/data theft, etc.)
  
• CSRF
  
• SQL Injection
  
• Clickjacking
  

Defenses

• Best coding practices
  
• Web Application Firewalls
  
• Web Vulnerability Scanners
  
• Tainting
  
• Mashup solutions (e.g. MashupOS, OMash)
  
• Policies (e.g. SOMA, BEEP, CSP)
  
• Penetration testing techniques
  

Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.