What QA & security steps to take before launching web app?

I've seen plenty of questions dealing with beta testing, marketing, market research and so on.

My question is which practical quality assurance and security steps should a web app or service make sure they have ready when launching to real people?

Suggestions:

• double-checking against SQL injections
• user password recovery
• double checking file & folder permissions
• 404 pages

Even in a private beta, what things should absolutely be a part of a launch?

Even if you are in private beta, your server can be reached by the public. That means you'll experience occasional lightweight attacks by bots. If you have information that is valuable there is a much greater chance of large attacks on your server(s) and that will require additional hardening. For now I would recommend the following.

1. Be sure to get an SSL certificate and only allow https traffic.
2. Familiarize yourself with the Open Web Application Security Projects Top 10 Risks
3. Get some free open source applications to scan your server. The exact applications depends on the technology your server is running (Apache vs IIS, MySql vs Sql Server, etc). In general though I would recommend a Sql Injection specific tester like sqlmap, and a fuzzer like Wapati
4. Double check all accounts for all services on your server. If you run FTP, bots will attempt to login with standard names and passwords. Lock down all unnecessary accounts and shut off all unnecessary software (like don't run a print spooler if the server is not a print server), this is called reducing your "Surface Area" so there is less to attack.

That is more of a technical question, I suggest you ask it on Stack Overflow.