@stephenbaileymagic I agree, it is always easier to consider security from the start rather than adding it later.
There are a wide variety of security issues, but a good starting point for any project is to consider security requirements along with other product/project requirements. There are many dimensions to security, so the initial practical challenge is to define the requirements.
What is the nature/sensitivity/quantity of the data being stored and processed?
Is confidentiality, integrity, and/or availability important?
What must the system do?
What must the system not do?
What physical security is required? (As a general rule, cybersecurity sits on top of physical security requirements. Once someone has physical access, we have to consider data theft, code theft, hardware modifications, software modifications, etc.)
Hopefully that will start you on the path toward determining what security controls are required.
For example, if I’m just blasting the outdoor temperature via RF and displaying it in my office, I may not care about confidentiality, integrity, or availability because there are no major consequences. But, if I’m using the same device to acquire data for HVAC control, data integrity could be very important (but I may still not care about confidentiality.)
On the other hand, if the system is processing personal information, then confidentiality is paramount and it would generally dictate protecting the data at rest and in motion. When dealing with sensitive personal data, I like to see two independent confidentiality layers (for example some data should be encrypted before sending it over a wireless connection, even if the wireless connection is also encrypted.) This can be more difficult on low-power embedded systems and we may need to compromise.
Next, I suggest including security test cases (both positive and negative tests) into your test case set. (I realize you may not have formal test cases for this sort of project, but I mention it because if I had $5 for every time I looked at a product with extensive test cases and didn’t find any security tests I would be retired by now.)
More specifically, for BLE, this looks like a good starting point: