Security and privacy is a complex ecosystem with evolving threats and tools. We can help identify tools that meets maturity of your code and business to scale costs with increase in revenue or product adoption.
But for a good place to start we recommend OWASP Top 10. From OWASP:
"The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list."
OWASP releases its Top 10 every few years. The most recent is 2017:
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Cross-Site Scripting (XSS)
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
For more on the OWASP Top 10, see https://www.owasp.org/index.
There are many open source security tools on the market. Here is a list of some popular ones:
OWASP O2 Platform
OWASP WAP-Web Application Protection
Boon - http://www.cs.berkeley.edu/~
FindBugs - http://findbugs.sourceforge.
Find Security Bugs - https://find-sec-bugs.
FlawFinder - http://www.dwheeler.com/
Google CodeSearchDiggity - http://www.bishopfox.com/
phpcs-security-audit - https://github.com/
PMD - http://pmd.sourceforge.net/
.NET Security Guard - https://dotnet-security-
Oedipus - http://www.darknet.org.uk/
Puma Scan - https://pumascan.com
Splint - http://splint.org
SonarQube - http://sonarqube.org
W3af - http://w3af.sourceforge.net/
This list came from OWASP. For their full list of tools, including paid tools, see https://www.owasp.org/index.