Consider using SAL for any new code, and annotate functions that take writeable buffers as arguments. Consider annotating readable buffers too.
Over time you should remove all banned APIs from your C and C++ codebase. Use the list provided at http://msdn.microsoft.com/security as a starting list. Functions like strcpy and strcat should be removed first because they are most prone to error.
Over time you should remove all banned cryptography from your codebase. Use the list of banned cryptographic algorithms provided at http://msdn.microsoft.com/security. Also start planning for cryptoagility.
Determine as soon as possible a good toolset to use, and draw up a list of warnings you consider heinous. Any error or warning that relates to buffer overruns or integer overflow problems should be top of the list to fix.
Compile your code with /GS, and link with /SafeSEH, /DynamicBase and /NXCompat.
