GeeksSpot

  Use HTTPS - stops "man in middle" attack Use load balancer - control internal vs external applications Input validation mandatory.  2-factor authentication Restrict failed attempt to avoid malicious logins Captcha to avoid the bot. a session should have timeout based on application criticality re-verify login for critical data access  Limit access rate to stop Denial of service attack.  prevent SQL injections     ( "select * from students where student_name =" + name + ";") Encrypt data on 3rd party storage  Hash the passwords 

 If the client is using functionality from your code it should be exposed to interface i.e. how to call this functionality with what parameters. It will provide an abstraction to the client and we can change the implementation anytime without impacting the caller.