Depending on your approach to delivering software, I believe the implementation of this can take different forms. I appreciate your question was looking for something concrete, and perhaps this is a little more opinionated but I have seen this done in a number of different ways on several projects. Here is some first off's for getting started:
First off, follow @A. Herseans suggestion and head to OWASP
cheatsheets.
Second do some Threat Profiling. Similar to user profiles (persona's) (your UX person will know about this) do some misuser profiles. Understand where the threat is likely to come from, i.e are you more likely to have a Nation State black ops hit you with a sophisticated attack, or is it more likely that Jo from accounts has just lost their job and is trying to download a load of personal user data to hurt the company on their way out the door? It matters so you know what level of technical ability you're likely to need to protect against.
Next, I always think Threat Modelling is useful to consider the types of attacks you're likely to face when given the context of your system. Head back to OWASP and check out the Threat Modelling Cheatsheet, or try Jim Gumbley & Fraser Scott's presentation on the subject, slides 15 to 20 can really point you in the right direction of thinking.
Last suggestion, but definitely not completing the list is to have regular conversations with your BA's. Get involved with stories before the development is started and consider the threats that could creep in early. Make sure dev's are aware of the threats when they pick up a story and make sure they're building it in from the start.
A good read that really considers all of the bit's outside of automated software testing is Agile Application Security. I'd definitely suggest checking it out.