With the prominent security breach at Gawker and a major email marketing vendor recently having similar issues, web app security has been brought to the forefront. Web app security is a real challenge due to the continual arms race with crackers and all the technology plus process issues related to a large scale SaaS product.
Here are a few web app security considerations:
- Encrypt passwords one way as a hash with a salt in the database
- Require passwords to be more complicated than simple words (e.g. minimum of eight characters, minimum of one number, minimum of one upper case letter, etc)
- Provide IP address checks via email confirmation for user authentication and allowed IP ranges
- Enable secondary authentication like PINs and challenge questions to go along with a standard password
- Track failed sign-in attempts and expire passwords based on policies
Of course, there are many other considerations but this is a starting point for web app security. My recommendation is to consider this type of functional early on in the engineering process.
What else? What other web app security considerations would you add?
David Cummings on Startups 
A big one for me is input validation. There are a variety of threats in that area to be concerned with. Buffer overflows, SQL injections, and cross-site scripting are just a few.