Blue Flower

Stage 1. Automation Auditing
Stage 2. Manual Auditing

Automation Tools:-

1. AppScan
2. Scando
3. Acunetix
etc..

Manual Testing Tools:-

1. Burp Suite
2. IE Tamper
3. Achilles
etc..


How to prevent via coding ?   [Project should implement the following points]:-

Auto Completion for important controls like password
Salted hash for password fields
Sanitization to all the input controls
Browser Refresh [use captcha]
Steal Password via Refresh or back button [use redirection, clear cache]
Session Fixation [ use new session id before/after login ]
Brute Force [use captcha]
Guessing UserID
Always clear Browser cache
Insecure direct object reference  [ in search result screens, avoid give action link with pk id ]
CSRF
Downloading Secure File [ dont take a path from parameter ]
Inproper Error Handling [use proper tr{} catch{}, move to custom error page]
XSS [use sanitization, check server side validation (type,size,input data) ]
SQL Injection [use sanitization]
Cross Account Access
Privileged Escalation
Login Trail
Audit Trail
Forgot Password [use security question, captcha, send a mail link to change password (one time link) ]
etc..