Key practices: input validation (whitelist), parameterized queries (prevent SQLi), output encoding (prevent XSS), proper error handling (no stack traces to users), no hardcoded credentials, least privilege for application accounts.
OWASP Cheat Sheet Series covers each practice in detail. SAST finds secure coding violations in code. Code reviews catch issues SAST misses. Security training for developers prevents more vulnerabilities than any scanner.