I'm a web developer and security analyst. I've held both roles at different times, and switch back and forth regularly.

On the webappsec side, I've done dozens of security assessments (pen testing and code reviews) on a wide range of government, financial, and healthcare websites, as well as a smattering of other industries. I've also taught a fair number of appsec training classes for, among other things, financial companies, software dev shops, and contracted training for the US Air Force.

The hardest part of webappsec is finding the time (read: money and scheduling) to do it right.

On the dev side, I have one-inch-deep experience in a lot of areas, frameworks, and languages, and have deeper experience in C# and the Java / Spring / Hibernate stack.

I'm currently working as lead developer on an enterprise Grails application, which is kinda like Java, but with way more magic.