This document provides a roadmap for web application security. It notes that web application security is still immature, traditional operations teams do not understand the risks, and companies often struggle to assign responsibility for security to one person due to organizational challenges. The document aims to help companies better manage web application security.