Security for a web app is about understanding that people will be breaking your system and hacking your system, so the goal is to reduce what will be able to be hacked, control the fallout at each stage, control the separation of duties between the web developers, database admins, and says admins with root, and alerting when anything happens on a system.
Security is only as good as your ability to make it work without any one person trusting the other. The system has to be built on lack of trust of any one person in the system. You have to assume that some new-hire is going to a potential problem.
Social engineering or internal crime rings are way worse of a problem for "secure sites" then a hole in some java code.
But with that said, the way you make a secure site starts with a multi-tiered approach having web front ends, an application tier, and a backend database.
Separation of the web front ends, which you assume will be hacked. You remove any and all potential vulnerabilities, services, processes running unnecessarily, compilers, and anything else not necessary to run your web application. Put in place a high alerting system triggered whenever anything changes on a system and potentially rebuilds the servers upon reboot at the most extreme end of things. Have the network rules setup to only allow the single application port from the web servers to the application servers. Don't allow any other traffic.
Next the application layer has a similar lock down removing anything and everything not required to run your app. Only allow the network traffic for the specific ports for the database from the application server.
On the database server maintain adoquite backups and lockdown proceedures for all data.
With all that said, your application needs to go through a security review with several people making sure you're not doing stupid stuff such as: making system calls leveraging variables supplied by end users, make sure to verify every one of the users inputs scrubbing any potential SQL injection, and make sure to double and triple check any time input is leveraged by the user along with a system call, database call, and of opening files or pipes or anything of the sort. The use input is where the hacking takes place.
Anyway, that's how it's done by the big boys. Good luck.