Not every company has consumer data contained within the web applications.

I get that.  Logic fails me, however, when someone tries to explain to me why because they don't have consumer data (or other critical data that can be "stolen" from their applications) they really don't need to pay attention to web application security issues.  Really...

 This news over at InternetNews.com story could be a rude-awakening for some of those folks.  The point is - just because you don't have data to "steal" doesn't diminish the value of your web application as an attack surface.  In fact, the most important principle (other than data) that drives hacking is volume of traffic to your site/application.  A news organization, for example, lives off of driving traffic to the site.  Malware distributors (adware, for example) live off of the same principle because they use those viewers as "drive-by adware install victims"... and thus make their money.  Am I making sense here?

   The bottom line, Web Application Security is a serious business, and not only for those that have to be PCI compliant, or HIPPA compliant, or some other regulation-compliant... and not just for those who have consumer credit card data on their pages... no no - it's for everyone with a web presence because you are a target if you have viewers.