RIA web application can built with any front end technology like AJAX, Java, Silverlight or FLEX/FLASH
End user authentication can be strong (with physical token based OTP, SMS based OTP, or iTAN list) or just UID/PW (enhanced with SRP, or Digest)
Web application state should not be stored on the client but only a pointer to the server side stored storage should be passed (encrypted) out to the client, for example as a cookie or as POST parameter
All input validation that is done on the client needs to be redone on the server
Malicious entities try to exploit software bugs in the Web server
Denial of service (DoS) attacks may be directed to the Web server
Compromises through command injection attacks
The server may be used as a distribution point for attack tools, pornography, or illegally copied software.