I wouldn't worry about a thesis topic yet if you're just starting out. Figure out what general areas you're interested in and try to find an adviser that has done some work in that area or a related area. Read papers, work on research projects, and try to publish some papers yourself (probably in collaboration with your adviser or other grad students). Your adviser will help you pick a thesis topic but it will be very specific. Instead of "web applications security" it would focus on some aspect of static analysis, sandboxing, etc. Look at other accepted theses at the school you're attending to see what I mean.
Have you read any of the research being published? Read papers that sound interesting and follow up on the references. You'll eventually carve out a niche where you can do some research of your own.
If you're going to do a Ph.D., make sure you really want to do CS research. There is a huge difference between an IT security job and academic research. If you just want to work in the field, a masters can be good, but your future employers will be looking for applicable job skills. Whether you even do a thesis with your masters probably won't matter. You'll still want to get some certifications to improve your employment prospects. Whether a Ph.D. will help you at all depends very much on what you want to do. If you want to be a researcher at Microsoft, the NSA, Google, a Ph.D. would be awesome. If you want to be an IT security guy, not so much.
BS in IT: Security, CISSP, CEH, EnCE. MS in progress.