Protect against sql injection. Use stored procedures OR parameterized sql statements. You can use dynamic sql – but be very careful and if you do – make sure you use parameterized queries and do not form the sql statements ‘inline’ by appending variables.

Protect against cross site request forgery (CSRF) by making sure you use Html.AntiForgeryToken

Make sure tracing is turned off

Make sure custom errors is turned on so yellow screens of death (ie error details) ar enot displayed to the client.

Protect against cross site scripting by making sure any output you display in your system from your model, database, etc. is encoded by using <%: syntax on your aspx pages and simply @XXXX on your mvc 3 pages, as mvc3 encodes everything BY DEFAULT which is a great enhancement over past methods.

Make sure there are no test accounts in your database.

Ensure no actions can be performed just by the querystring – for instance passing in /MyApp/DeleteUser/10. Require a post to perform an action, and those posts must use Html.AntiForgeryToken and [ValidateAntiForgeryToken] on your controller

Ensure that any users editing information on your page cannot edit (using a tool like fiddler) a primary key hidden on the page thus changing what record they are editing when they post back the changes. You can hash for instance a CustomerId on the page into a hidden field and compare it upon post to make sure it matches what is in the model.

Visit me at tech ed in atlanta next month for my security talk : )