While it's a bit broad, I think this question is one that many application teams ask themselves. This goes back to one of the points I mentioned in another
thread: Developers often don't know where to start when it comes to securing their application. There are so many ways that an application can be attacked and there's only so much time in which to shore up your defenses. Sure, building security in from the start is probably the best approach but what do we do about legacy apps?
I think you have to start with a security assessment and risk analysis. Once you have that, you can focus on the aspects of your application that are at greatest risk where risk accounts for the probability of an attack and the costs of defending/preventing/mitigating/sustaining/recovering from a successful attack.