Hi, I think there are already some really good examples in this thread but if I would pick one thing that I think is common, and the culprit of many security flaws, it would be input validation.
Input validation can mitigate several vulnerabilities such as XSS, Open Redirects, SSRF, and more. The vulnerabilities can be complex but input validation is, at its core, not that difficult. Sure, some validation can be very tricky to get right but a little goes a long way and a lot of times security flaws are caused by a complete absence of validation.
Our observation is that there’s a challenge for developers to remember to validate input in order to secure the code. In Secure by Design we approach this challenge by stressing the importance of business/domain validation. That is, asking the developers to make the domain logic really crisp. The end goal is still to achieve input validation but we approach it, and motivate it, from a different perspective.
It's also good to remember that, in most applications, nothing is "just a string". Input is usually expected to be "something" and that "something" can be verified via validation.