“If you could wave a magic wand and do anything to reduce vulnerabilities, what would you do?”
Some common answers are things like training and education, forcing penetration testing, better tools, and smarter users, but none of these things really strike at the core of the issue. Where is the vulnerability garden? Where are those vulnerabilities planted? Can we make that soil hostile to vulnerabilities and rich for good coding practices?
We can. The answer is to make it as hard as possible to introduce vulnerabilities in the first place. The best way to accomplish that is to provide developers libraries, frameworks, defaults, and wrappers so that every developer finds it easy to Fall Into The Pit of Success .
Choosing better frameworks that have good ORMs (fewer SQLi), templating engines (fewer XSS), authentication systems, and other security controls can massively reduce the likelihood of a vulnerability. You can mitigate entire classes of vulnerabilities through these good choices.
A security team can take this to the next level by selecting great libraries that are secure by default, by setting secure defaults through settings or policy, and by creating wrappers for existing libraries to instill security best practices into existing libraries.
The critical point to this, though, is that you must make it easier to do the secure thing than the insecure thing. If you ask developers to meet you half way or to adopt a new way that takes more time, you will fail. Developers want to build secure software, but they have massive pressure to deliver on features and hit deadlines. The pressure to ship and generate revenue will almost always win out over spending the time and money necessary to create more secure software. This is the real world after all.
Make it easy, let them fall into the pit of success.
This mini-post was partially inspired by this article from Clint Gibler, who has an excellent blog and newsletter at tldrsec.com. Particularly this excelent mega-post: What I Learned Watching All 44 AppSec Cali 2019 Talks - tl;dr sec