Right, security is important for any application! Please do not award because security integration and planning always come from discussion. Luckily, I got opportunities to work with GE, ANZ etc and I learn a lot about security from them.
Initially, I always emphasized on the below points:
1. General Web Application Security Recommendations:
> Use the Windows NTFS file system, not FAT32. NTFS offers substantially more security than FAT32. For details, see the Windows documentation.
> Secure IIS. For details, I will refer to check Microsoft TechNet Security Center Web site.
> Need to check that the unused port has opened or not.
2. Run Applications with Least Privileges
3. Guard Against Malicious User Input
4. Have you ever thought about someone framing your website onto theirs, making your users to be the victims of click jacking? Yes, the attackers can load your website onto their site in an iframe.
5. Have you integrated Forms Authentication and Session?
6. Handle SQL injection. UrlScan also helps prevent SQL injection. Handle SQL injection in SQL scripts as well as on the front end. What is required is deterministic client side validation.
It’s good to incorporate the necessary key security best practices during design phase thus ensuring the system is not at risk and at the same time it is hack-resilient. I would prefer to get back to me with your application, user type and how users used your application. After get all the information and check the code I will recomme