It sounds simple. We can improve security, and reduce the need for more security IT people by writing better code. That's certainly true, and it's one of the things that I preach about often. Developers should learn about secure coding and better practices for writing code that doesn't contain vulnerabilities. There are patterns and practices that can dramatically reduce SQL Injection problems and produce code that is more secure.
We know that secure coding is an issue in our industry. Various companies are trying to write better code, including Microsoft. They have done a fantastic job reducing vulnerabilities in SQL Server over the last few versions, and there is a whole section on writing secure code on MSDN to help you get better. All developers working with .NET need to review the secure coding practices from Microsoft and implement them in any code they write or refactor.
However it takes more than developers to ensure that good code is being written. Managers need to allow more time for code to be written as developers learn to implement the patterns and frameworks that result in secure code. Management needs to make it a priority for developers to continually learn about new secure coding techniques, and allow for security testing of code.
We are building more and more applications all the time, often at frantic paces. It doesn't usually take more time to write good code than to write poor code, but you have to know how to write that code better. As developers improve their skills and incorporate secure coding techniques, their productivity will be lessened, and without management support, I worry we will continue to deploy applications with the same vulnerabilities that have existed for years.
Advocate for secure code to management, pass along headlines that show the problems associated with insecure coding, and even request penetration tests. We can make a difference in the industry with patience and persistence over time.