I'm often asked what my process is when auditing, and many times I get the feeling that people think if they have a detailed enough checklist to go through, that they'll be able to make their code safe. However, security isn't a checklist, it's a process that should be part of your mindset not just when writing code, but when thinking about the design of your project and architecture in the first place. It also doesn't stop when you deploy the code, as you learn more and see novel mechanisms being leveraged, you should keep in mind code you have written in the past and think "does this change any of the assumptions I had when I first wrote that code?". If you begin to feel exhausted by this mode of thinking and develop a frustrating paranoia which permeates your thoughts anytime you look at code, congratulations, you're on the right track. Many times I find vulnerabilities in one codebase by reading another one that catches an edge case in a more complete fashion and being reminded that the original did not! It's this level of awareness that will help you spot vulnerabilities, both in your code and in the code of others.