I'm in a process of designing a multi-tier ASP.NET web application that is supposed to deal with sensitive information (say financial data).

I would like to identify all potential threats the application will face in real life and plan the countermeasures accordingly.

Some details:

• The application will be hosted in customer's data center for both internal and external users
• Target platform is Windows Server 2008 + IIS7 or Windows Server 2003 + IIS6
• Target DB is MS SQL Server 2008

Phew! Where to start... Depends on how "secure" you need it to be. i.e. Difference between a personal blog and a large project for a large company/government dept. etc...

In no particular order

• Secure your configuration files by encrypting them.
• Ensure that your Database is behind some sort of DMZ and not on a publically accessible IP
• Get a security company to give your site an overhaul for potential vulneribilities (Cross Site Scripting / Sql Injection)
• Use SSL
• Lock down everything port-wise on the server except for 80 HTTP & 443 HTTPS unless absolutely necessary
• Make sure your Remote Desktop/VNC connections to the box are secure
• If your storing passwords in the DB, hash & salt them and don't store plain text
• Publish your code, and don't leave source code on the server
• Build your code based on known standards, i.e. don't write your own Crypto Algorithms
• If secure connections between the Site->DB or Site-MSMQs are available, use them

Microsoft have a good article on securing ASP.NET apps that i'll dig out.

Edit

And as Syed just posted in his reply, (+1 a credit to him)

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

http://msdn.microsoft.com/en-us/library/aa302415.aspx

for multi layer security. http://msdn.microsoft.com/en-us/library/aa302415.aspx#secnetlp_part3

that is a very large (broad) question, there are complete books on security that can not answer that. Go to Borders and get a few security books and start reading.