This is a big subject. Here're some points atop of my mind:
- Always use both encryption and validation for your authentication cookies (forms tag of web.config).
- Encrypt your viewstate (if you're using WebForms).
- Don't store passwords in plain text in database. Store their hashes.
- Always treat input from the user as malicious. Don't use input from controls, URL parameters (query string) or cookies without sanitizing it against SQL and script injections.
- When dealing with database, use command parameters (SqlParameter for example) if you use plain ADO.Net, or use an ORM like Entity Framework. DO NOT concatenate SQL using input from users.
- Use protection and sanitization libraries like AntiXSS (https://wpl.codeplex.com/), and AntiCSRF (http://anticsrf.codeplex.com/)
- For the more paranoid. Disable the HTTP headers that disclose the technologies you use. ASP.Net for example adds a Powered By ASP.Net x.x header.
- Follow security specialists like Troy Hunt (http://www.troyhunt.com/). He made a wiki specially for the subject (but I can't find it now. Sorry), and a security audit tool (https://asafaweb.com/)
