Every major tech firm has an in-house app security or "SDLC" team. But outside of Microsoft --- or, even in some cases at Microsoft --- most people sub crypto design and verification out to people like Paul Kocher's CRI.

It's probably not fair to trace a cryptosystem flaw back to a web app security team.