Mastering the top 10 of the OWASP is important. Those are trivial but are important to keep in mind when working on the web. The next thing you can do is ensure that keep everything locked down and open up only what you need. This means that if you only need port 443 open on your server for people to access your API, thats the one you use. Multi Factor Auth is important for API's (I suggest OAuth). Other than that, keep your server monitored, and never EVER trust your users (in a security sense).
I'm going to assume you mean "What tools can a web entrepreneur use to check if his site can be hacked by script-kiddies".
There are a multitude of static analysis and penetration testing tools out there, free and licensed. Fortify (Static analysis), HP Web Inspect and IBM AppScan (penetration testing) are just a couple easy(ish) to use tools. On the free side of things, BackTrack comes with a plethora of security tools one can use to assess your site.
