1. Do not trust on Client-User Input. Security decisions should not rely on client-side validations; they are made on the server side
2. Identify application to fail gracefully. An approach to exception management should be such that does not reveal any internal software information.
3. Partition the application into public accessible and restricted areas. Isolate higher privileged sections of the application.
4. Granular authorization check for pages and directories.
5. Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security
6. Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores