One of our web application which is developed using classic asp, has security problems all the time and causing problems to us. I compiled a number of things you should do to escape the same problems, let me know what u think
-
Keep security in ur mind starting the design level
-
use stored procedures or at least parameterized sql
-
keep connection string in web.config and encrypt it
-
validate user input including form inputs, querystring inputs etc
-
encode user input
-
dont give out hacker friendly error messages
-
dont reinvent the wheel for user management, account management, use membership provider
-
encrypt or better hash passwords in the database
-
instead of sql authentication try to use windows authentication to connect to sql
-
dont create too many admin accounts; use delefation
-
log failed attempts
-
monitor your application
-
patch your system
-
When u need ssl, use it
-
dont reinvent encryption algorithms use .net framework security algos
-
dont forget software ages like human being; the older it is, the more complains you will get
-
have a backup plan
-
have backups
-
document ur apps, ur security tests
-
read owasp.org
-
read ms security bulletin