Securing Your Application
Security is a pretty ambiguous term when it comes to an application. What does it really mean to secure your application? By viewing security as a quality attribute of your application it is referring to how well your application enforces its access/protection rules. In Microsoft's terms the security quality attribute is "The capability of a system to reduce the chance of malicious or accidental actions outside of a designed usage affecting the system, and prevent disclosure or loss of information". If you look at security at the implementation level it represents cross-cutting concerns in the form of user authentication and authorization. The reason that authentication/authorization is considered a cross-cutting concern is that it affects all layers of your application (i.e. presentation, business, service & data layers).
In order to properly secure an application you need to address security as an integral part of the application. Security as an afterthought doesn't work. Security needs to be treated like any other quality attribute (i.e. performance, maintainability, scalability, etc.) where you need to make a deliberate decision as to the importance of this attribute. In most cases security will be critical to your application so there may not be much of a decision to make but the important part is that you actually address it and make that acknowledgment and don't delay it until it is too late in the project life-cycle to be implemented effectively.
To get started in securing your application, threat modeling is an effective tool to use to help you find out what in your application represents the greatest security risk. This can allow you focus your security efforts on the part(s) of the application that most need it. Performing a threat model for your application before you begin coding is highly recommended.
How to authenticate users
Authentication is the process of determining the identity of a user and verifying that they are who they claim to be. This is typically accomplished using id's and passwords. If your application is running on either the intranet or extra net this process is completely taken care of for you by ASP.NET & IIS through integrated windows authentication where your domain credentials are securely sent to the web site on your behalf. If your application is not one that uses windows authentication then you must programmatically authenticate the requesting user. The standard way of doing this is to leverage the built-in membership providers or if you are creating an application for the CIA team making use of the Profile System is the recommended approach.
How to authorize users
In the .NET framework the most common way of performing an authorization check is to use role based security approach through a call to the IPrincipal.IsInRole method. Access to the current principal is typically done via the current thread System.Threading.Thread.CurrentPrincipal.IsInRole or if using VB can be accessed through My.User.IsInRole (this actually is just a shortcut to the current thread principal).
When we are running code on the intranet or extranet these role based security checks will determine whether or not a user is in a specified Active Directory group. Active Directory is the most secure way to implement role based security on the intranet & extranet - if AD doesn't seem to fit your particular need please set up a meeting with Microsoft Development COE team and IS Security to discuss your options.
Tips to building more secure apps
Turn on code analysis, this will help catch problems like potential SQL Injection issues.
Use tools such as CAT.NET and HP AMP to help detect security related issues in your application
Take advantage of libraries like Microsoft AntiXSS to encode output (web applications)
For More detail on Secure your application
Securing Your Application
More articles: Application Security