Software engineers typically make hundreds of decisions every day and in my experience no one sets out to write insecure code, so everyone is well meaning however in those decisions some have a bearing on security outcomes and some don’t. It is vital that developers spot security-relevant decisions as they are encountered, and have a clear sense of when security input is needed.
An interesting project that is on my radar is The Motivating Jenny project which sets out to understand how to develop more secure software. The approach being explored is an interesting one to me they have identified that developers if trained to identify security sensitive aspects they see better outcomes. They found that for more secure code code, developers need to learn how to recognise where security input is needed and apply their knowledge and access support as needed and hence get better outcomes on the whole.
Research from Motivating Jenny identified that a developer responds to the security needs in these situations within common dimensions of development practice. The dynamics are summarised in the diagram below.
Its going to be interested testing out this approach in the real world and seeing the results. In my opinion anything that can produce more secure code is worth a try.