As a consultant working with MySQL, I learned a lot about MySQL. I got deep into MySQL. But I did not often get a broad sense of the entire application ecosystem. Now that I work in-house, I can focus on the breadth. And especially working at Mozilla, I am in contact with many many developers working on many different applications. One Mozilla developer whom I respect greatly is James Socol, and his blog series on web application security is an excellent example of why he has earned my respect.
For those who want an overview, the articles (which are not all yet written) range many topics:
Basics: locking your car doors.
XSS: Cross-Site Scripting
CSRF: Cross-Site Request Forgeries
Injections, SQL and Otherwise
Session Fixation and Hijacking
Click-jacking and a little Phishing
Stay Up to Date
Advanced: Some gotchas from my experience and some things you may well see.
Bots: Spam, Brute-force, and User Experience
What browsers are doing to help.
Content Security Policy
Do Not Track
I think everyone involved in a web application should understand this series!