Start with the OWASP Top 10
The OWASP Top 10 isn't academic — it's a ranked list of the vulnerabilities attackers actually exploit most. SQL injection and broken authentication show up on that list year after year for a reason: they're common, and they're preventable.
Parameterized queries, always
Never concatenate user input directly into a SQL query. In .NET, Entity Framework and Dapper both handle parameterization for you by default — the risk mostly appears when developers write raw SQL by hand under deadline pressure.
Hashing passwords the right way
Never store plain-text passwords. Use a proper password hashing algorithm (bcrypt, Argon2) with a per-user salt — never roll your own hashing scheme, and never use fast general-purpose hashes like MD5 or SHA-1 for passwords.
Testing before launch
Tools like OWASP ZAP can catch a surprising number of issues automatically before a single line of user data is ever at risk. Running it once before every major release costs almost nothing and catches real problems.