I'm more a Developer than a security guy, but I do security. I'm not very good in this "we find security holes afterwards" thingy. I prefer more a test driven approach: constantly checking for errors, fix them and test that they do not occurre again. I started a project in my company to test-drive our whole infrastructure to find issues and wanna give you my experience about that, how do that and also funny stories what we found.
Security is not that hard! You just need to start doing it.
And yes, I do some some ISO27k bashing ;-)