Having done information security for way too long, the one piece of advice I could give is:
Never trust input. Unless you can control access to the source and destination and secure the confidentiality and integrity of the transport, assume that any information is tainted by default. It doesn't have to be user-generated (that cookie in that request, don't assume it's not been tampered with) input, just input in general. However your app interacts with data, sanitise it by default and assume that the content may be malicious and you'll solve a fair chunk of your potential information security problems.
Expanding on this advice: never assume that the libraries or programs you use are bug-free.
Before digging deep into your own code, make sure the bug actually is in it, and not somewhere else.
I have seen problems where a particular program didn't work, due to the other side - which I had nearly no information about - had a bad optimisation, which made it crash. Or another, recent case, where a particular third party library was abusing a cache, and stored freed objects in it, which resulted in interesting crashes all over the place.
Never trust input. Unless you can control access to the source and destination and secure the confidentiality and integrity of the transport, assume that any information is tainted by default. It doesn't have to be user-generated (that cookie in that request, don't assume it's not been tampered with) input, just input in general. However your app interacts with data, sanitise it by default and assume that the content may be malicious and you'll solve a fair chunk of your potential information security problems.