Sorry for the deluge of posts today, I have been collecting up these tidbits and finally had a bit of time to post them.

In a past life, i was the Technical Lead for Security for a large corporation. I still think like a secuirty guy (or a hacker, depends on which side of the fence you are on :-) ) and I always try to help people take the security considerations for thier architecture into account.

Microsoft has released some great guidance around threat modeling and has some patterns and prescriptive guidance in mitigating common threat scenario's.

Check out the downloads section, there's a threat modeling tool that the ACE team has released, there's also some great articles on writing secure code, code access security and securing your web or windows application. I know that the more you try to make your application secure, the more effort that is involved to mitigate risks that may have a VERY low attack vector. It's very easy to go overboard but all in all, you should think about the secuirty of your application EVERY time.. not as an afterthought.

The way i look at it, if I was using the application that I am building, what concerns would I have regarding the information... this of course depends on what type of infomration you are dealing with, what the audience is and how muc damage could be done by a malicious user. Getting answers for those three basic questions can help you start to form a model for how you will secure you application.