(If this looks familiar, it's because we had it in last episode's news queue. We ran out of time to cover it, but there were some still-relevant points I wanted to highlight.)
I've been a long-time fan of Clang and LLVM. Its various analyzers are immensely helpful for discovering and fixing issues that lead to bugs and security flaws.
This article highlights the desire of researchers who want to work more directly through the compiler toolchain, such as reviewing and manipulating the AST in order to find all sorts of security issues. (In fact, the analyzers work on the CFG, not the AST -- which I didn't realize.) It points out how Clang is optimized to optimize code and serve developers, but it doesn't have all the features a security researcher would want.
But if you don't care about compiled code or the few acronyms in this summary have already thrown you off, think instead about the development toolchains you currently use and how well they can be instrumented for security purposes.