As Ryan highlights, it's crucial to have a formal security review integrated into our review process. We're a small enough team at the moment that I think it should be easy to get everyone into the habit of keeping OWASP in mind when reviewing submitted code (and, indeed, when writing code), but a dedicated security reviewer would be a fantastic addition.
Our development team should be particularly vigilant when dealing with functionality involving user input, storing information about the system or the user, and parts of the the system that expose data.
As the backend is a NodeJS app, we are naturally using many community contributed modules. This is another area we need to be careful to monitor so that we make sensible choices, although I'd say that auditing the source code of all the modules in use is unfeasible. I wonder if anyone has any suggestions on the best way to manage this particular issue? To begin with, I think it's important that we choose modules: that have a proven track record; that have a lively development community; where support is ongoing; that have already had several releases. Also, while we may not be able to review the code of all submitted modules, perhaps we can review the code of some - particularly those modules that we use in user authentication, data storage etc.