The following checklist is a good example of areas to focus on:
- Run penetration tests with SSLLabs.com to check how exposed your servers are
- Look for passwords in .config and code (SSW Code Auditor can help)
- Authentication process of identifying who the user is
- Authorization what the user can do within the application
- Licensing to control the usage of the software
- Validation of all inputs in the system (cross site scripting (XSS) and SQL injection)
- No in memory generation of SQL statements (and are they using a good ORM)
- Encryption of passwords and any sensitive data
- Software Licensing protection mechanisms (and a recommendation to a subscription model)
- Methodologies and best practices to reduce your exposure to hostile attacks
- Logging who is doing what and when (audit trails)
There is a more comprehensive list here on GitHub: A practical security guide for web developers.
