Maybe it's actually should be the other way around ? Isn't it possible to build frameworks(using relatively popular/easy languages) for the most popular application classes(CRUD web apps, IOT MCU) that in many cases will isolate the developer from needing to think about security ?

And if it's possible, And we already have a few such tools(like say scala lift, ARM mbed ) but somehow haven't yet became popular, why is that ?

Many of them already are, but they aren't "sexy". I personally do a lot of .Net, and MVC 5 has relatively good defaults if you just install and go. ASP.NET Core is even better in some regards (CSRF tokens are completely transparent now). I think a lot of the problem is that people want to use a lot of new tech which hasn't had time to develop security as a convenience feature, or they just flat out don't want to use a framework.

If you're writing queries, either through an ORM or by hand, you need to be thinking about what data will be returned to the user. If you're not thinking about it, you'll create a data leak in the best case.

Nope, you've got it backwards :) If you really want security, it's something that no programmer should have to think about. Your language/framework/platform/API has to provide it for free. Trying to make every developer a security expert is a laughable proposition. That's my conclusion after 15 years in the security industry.

It's an AND not an XOR. You need both.

Because an API that provides security for free is a laughable proposition.

>If you really want security, it's something that every programmer should be thinking about, at least in the back of their mind, on every line of code they write.

Unless you're doing this with some level of competence, it's probably wrong.

Making line developers competent at security is a nice idea, but you have about 27 other things people have said that developers should be good at alongside of security.

I find most security 'training' to be really contrived. The examples are so trivial as to be useless and easily avoided in real life.

I have had to do several 'security' training sessions. I understand it intellectually, but they don't instill a deep understanding.

Yeah. There's a lot of security information that is easy to understand, but not very accessible. I've been thinking about writing a book on that topic, for that very reason.

Start out with things like, "don't leave your telnet port open" which seems obvious, but apparently is hard for a lot of people. Then from there lead to a reasonable understanding of metasploit.