Great article on DarkReading.com -- http://bit.ly/90vL9Y
The core of it is to have devs be in charge of security for a web app. Horrors!! Well, given today's developers, that is one scary and risky thing. But I am all for it. Find the right person, full of energy and willingness to stay on top of web app security trends and you have probably the BEST ally for your security conscious needs.
Here's why -- a) no one knows application development like a dev. Your security analyst can't read all your code and know where a hole might be. b) A good dev can talk to security guys and find a way to meet their needs from a development perspective. c) A dev will always get an ear of the other devs. It might take pulling teeth to get the other devs to code securely but it is sure a better chance than some security analyst or CISO coming in and dictating how they should code! (It's bad enough our project mgt, marketing and PR folks already think they can dictate site design and code to us, as well as the deadlines to meet their needs)
Companies serious about web application security need to train their developers, pick the best of the bunch and make them security analysts for web projects. It is one of the best ways to ensure secure apps.