I have a lot of experience writing internal Intranet applications, but very little when it comes to writing public facing web applications where it is likely that a certain percentage of people will try and be malicious.
The app is written with MVC.net, JQuery and Subsonic.
What steps can I take to project my application, to make it reasonably projected?
I've done some things already:
Have been quite paranoid about people looking at the html source of my forms and seeing what the form is posting, and using this to manually creat a form post with different values to do operations they shouldn't. Is this paranoia well founded do I need to do this on Actions attributed with the HttpVerb GET and POST or just GET?
Do I need to be worried about SQL injection with ORMs?
Check authorization on ALL controller actions, both GETs and POSTs. Authorize not for session, but for each request once again.
Server validation is a must. Also enforce some amount of data integrity on the database level. Fail as soon as you detect some exceptional situation. Don't try to recover and handle all possible scenarios to please the user.
Don't rely on user identification like username stored in cookies. It can be replaced. Add something more and unique to that. Cookies can also be stolen and transfered to another PC. Consider the option to check an IP address (for example) to get some assurance you are not tricked.
Limit user operation amount per time unit. Don't allow to make 100 submits in a minute.
All user inputs have to sanitized. Yes, worry about SQL injections.
Don't store passwords in plain text. Hash them. If someone breaks into your system, they can misuse the passwords by assuming the user has the same password to access his email account, banking system etc.
Another good idea could be not to use the public nickname, email or something else known publicly as a login name. Allow user to use a login to perform login operation, and a different name to represent them publicly on the site.
Actually, check out this thread. It has a good summary of that kind of knowledge.
What should a developer know before building a public web site?