Microsoft has a site dedicated to the Security Development Lifecycle: <a href="https://www.microsoft.com/en-us/securityengineering/sdl" rel="nofollow">https://www.microsoft.com/en-us/securityengineering/sdl</a>, which is a good starting point. You might want to look at the whole process, including doing a threat assessment. e.g. Concerns differ based on the technology you're developing with, such as cloud, desktop, mobile, or web. Essentially, it's a process of identifying what you need to pay attention to and weighing risk/cost benefits. There's a ton of information available and focusing on your specific situation will help narrow the surface area you need to care about.