Good article, Steve. I've got a few comments about it. First, I completely agree that having more secure code, to begin with, will help prevent problems down the road. However, as a developer and accidental DBA, I can say that it is much harder to implement than one would think.
I've written more than my fair share of ASP.NET apps with the username and password for a SQL Server database connection hard coded in plain text in the Web.Config file. My bad, although I defend myself by saying it was the only way I knew of storing a database connection. As time went by I learned that you can encrypt the connection info in a Web.Config file. And I've heard of other ways of storing the connection strings in Web.Config files.
At my current job they're very much into using integrated security, so it all relies upon a person's Windows authentication. This is much better, than how we did it at my previous job. But even here that can cause other problems. Not so much with someone stealing a username/password pair, but with some sophisticated users who want to bypass the system altogether. I'm having to deal with that now, so I'm considering using a dedicated SQL login/user so that these users wouldn't just fire up Microsoft Access, map the SQL tables in ODBC and just go directly against the tables rather than use the app we're developing because, "I know what I want to do so I don't need your app".
I think the biggest problem is ignorance on a lot of people's part. I've mentioned before that they don't let anyone here go to any conferences or training. That's due to budget. Anyway, not being able to talk with others as to what's new out there, how people are hardening their systems, etc., leads us to not adopt better security practices simply because we do not know. I even went to our chief security officer a few months back, asking him for direction as to how we could better harden our software. He didn't have anything to offer me. A large part of that is because before he got into security, the technology he worked in was PHP, so he doesn't know .NET.
Along the lines of just plain being ignorant, I've only very recently learned of Azure's Key Vault. I was looking into it, when other priorities pulled me away. And Steve, in your article you wrote, "Can we actually start to teach developers to use secrets and other run-time mechanisms...". Secrets? What's that? I presume its a technology, or at least a paradigm, for better storing things like database connections. Again, ignorance due to lack of being able to get outside of our own environment, is hurting us.
Kindest Regards, Rod Connect with me on LinkedIn.