there are a lot of things to discuss when it comes to security ,here are few tips :
1. use parameterized query,stored procedures when accessing db -- avoid sql injection.
2. be carefull when displaying error messages this may give information about your application's internal implementations.
3.always send data via post method only use get method only to retrieve pages.
4. if your application has upload facility ex:image upload -- check for content type and file size being uploaded
thus avoiding denial of service attacks.
5.encrypt sensitive information like connection string in web.config file.
6. encrypt and store informations like passwords in db.use hashing if you do not need to decrypt else encrypt it with a key and store.
7. use parameterized queries ,sp_executesql when constructing dynamic queries in stored procedures.parameterized queries does type checking and sanitizes queries from sql keywords thus preventing sql injection.
8.set validaterequest = true to avoid cross site scripting attack.
have a look at these links : web security,encrypt connection
string ,encryption .net,request validation
