Microsoft Technet has en excellent article:
Ten Tips for Designing, Building, and Deploying More Secure Web Applications
Here are the topics for the tips answered in that article:
- Never Directly Trust User Input
- Services Should Have Neither System nor Administrator Access
- Follow SQL Server Best Practices
- Protect the Assets
- Include Auditing, Logging, and Reporting Features
- Analyze the Source Code
- Deploy Components Using Defense in Depth
- Turn Off In-Depth Error Messages for End Users
- Know the 10 Laws of Security Administration
- Have a Security Incident Response Plan