Alex,
I have ended up doing application security in various forms for the past 10 years. I started out in security in the Internet Lab research group at Thomson Labs. I then transitioned to product development for another Thomson company. After that I was at Sun Microsystems for 5+ years in the
Java Center group of Professional Services. There I consulted to many different customers large and small implementing security in large enterprise applications for financial istitutions to working on Jini security for a Navy project.
While at Sun, I worked alongside John Crupi and Danny Malks. It was from their Core
J2EE Patterns book that we got the idea to write Core Security Patterns. John had pressured me for some security patterns to add to the second edition of CJP. I completed a chapter but was too late to fold it in. After Sun, I went to a small consulting company and built a large collection application for the U.S. Treasury. A lot of the patterns and best practices came out of that experience. During that time Ramesh and I met and he really got me to start to the book and kept me at it.
In general, my experience is all hands on, not theoretical. You will find a lot of valuable best practices, pitfalls, and reality checks. Much of this is not just our knowlege, but the collective knowlege of many developers and consultants we have worked alongside over the last 10 years.