It is undeniable fact that to be considered high-quality software should be both secure and reliable. Michael Howard emphasis on that there is no need to protect your product from all possible threats that can appear but to decide on what are the most likely threats and then try to "treat" them. He also suggests building threat models in order to decompose the system into blocks.
There are few if any good advices: threat trees, STRIDE, DREAD and so on... but you can find out your own :)
Besides ACE Team - Security, Performance & Privacy has released a free tool for threat modeling.