Eliminate Default Accounts
Eliminate default admin and other known accounts in your software
(e.g. sa in SQL Server, system in Oracle, admin in Access)
Don’t give any user more than the minimum privilege he needs
Handle error messages and don’t give away programming details in error responses
Apply appropriate vendor patches to the operating system, database, web server and any other software involved in delivering your application, in a timely manner. Often this involves response within twenty-four hours of notification. For hosted applications, a responsible hosting provider will apply these patches. Specify appropriate responsiveness in any Service Level Agreement.
Protect access to your web server files carefully. FTP and database access must be protected with strong passwords and encryption.