The high-profile attacks and data-breaches of the last few yearsdemonstrate the importance of securing software. While there areever more tools that can analyze systems for vulnerabilities, thesedo not help the programmer write secure code in the first place. Toprevent security from becoming a bottleneck–and to preventexpensive security mistakes from becoming increasingly probable–weneed to make it easier to write provably securesoftware.My work on policy-agnostic programming addresses the issue ofunintentional information leaks by factoring out the implementationof information flow security from other functionality. In thisparadigm, programmers specify policies about how sensitive data maybe used directly with the data, instead of as conditional checksacross a program. In this talk, I present dynamic and staticapproaches for policy-agnostic programming, show how to extendthese approaches to support database-backed web applications,and discuss how the policy-agnostic approach can help us secure legacycode written in existing languages.