I've been thinking a lot about web application security and where it fits in the development lifecycle. Obviously, network staff and IT need to set and maintain security policies in general. But, I'm curious: is there a place for developers to assist with defining security policies for web apps? Do developers have the right tools? Do they really want to play a part in the process? What kinds of benefits come from their involvement? How much should they be involved? And, what happens when applications change, necessitating change in the policy definitions?

I'm curious about how you or your organization looks at this challenge. What are you doing to handle web application security? What processes or approaches have worked well for you? Do you have any best (and dare I suggest worst?) practices for success? Post a comment or send me a private email (devcentraleditor@f5.com) with your thoughts. I'll send you an F5 t-shirt for your time and comments.