think evil & build not break

It was a pleasure to hear andrew van der stock present last night at the Melbourne OWASP chapter meeting. His presentation covered a few home truths about application security that I share:
think evil - perform risk assessments and concentrate on what matters.
controls not vulnerabilities - write simple secure code with good key security controls (i.e. canonicalisation and known good input validation), don't bolt on code to address vulnerabilities.
build not break - don't be a blocker be an enabler. Instead of saying no and raising a problem without a solution provide an easier and more secure option for the developer.
ban insecure functions from development frameworks