Recently, my colleague Rohit Sethi and I presented JSF Security at Source Conference in Seattle. Among other things, we discussed JSF input validation using the Reference Implementation (Mojarra), Apache MyFaces, and using JSF 2.0.  We also covered integrating OWASP ESAPI into a JSF application to protect against authorization attacks and CSRF. Presentation slides and a video have now been posted.  Enjoy!