The first step is to decompile the .swf file and extract as many resources as possible.

These are the best online resources in web application security :

OWASP is happy to announce the first release of OWASP Pantera - Web
Assessment Studio. Pantera is a mix between a pentest proxy, an application
scanner, and an intelligent analysis framework. Pantera’s goal is to leave
the analysis and automatic (repetitive) stuff to the engine, leaving only
the important decisions to the security expert.
Great tool !
OWASP Pantera Web […]

The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything here is free and open source.
OWASP has released the Security Testing Guide v2 .At 270 pages, this guide is already a must-have for most developers and penetration/application testers, but we want to take it one step […]

An ingenious way of breaking the same-origin policy by undermining dns-pinning :

An open source application layer firewall for HTTP/HTTPS. It works as a reverse proxy server. It analyzes all HTTP/HTTPS traffic against rule-based signatures and protects web servers and web applications from attack.

The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw.

an interesting article on automated vulnerability scanners and the limitations of these tools in finding real life web application vulnerabilities .

The following column was published on SecurityFocus today:
PHP apps: Security’s Low-Hanging Fruit
by Kelly Martin
published 2007-01-08
PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here’s how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems […]