●Stories
●Firehose
●All
●Popular
●Polls
●Software
●Thought Leadership
Submit
●
Login
●or
●
Sign up
●Topics:
●Devices
●Build
●Entertainment
●Technology
●Open Source
●Science
●YRO
●Follow us:
●RSS
●Facebook
●LinkedIn
●Twitter
●
Youtube
●
Mastodon
●Bluesky
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Forgot your password?
Close
This discussion has been archived.
No new comments can be posted.
Load All Comments
Full
Abbreviated
Hidden
/Sea
Score:
5
4
3
2
1
0
-1
More
Login
Forgot your password?
Close
Close
Log In/Create an Account
●
All
●
Insightful
●
Informative
●
Interesting
●
Funny
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
bybradley13 ( 1118935 ) writes:
IMHO, these problems stem from the following source problems:
- Incompetent developers. Look at the number one problem, number one for years now: injection. I teach students how to avoid this the first time they touch a database, which is typically in year two of their degree program. It doesn't matter: half of them still write injectable queries, even though using "prepared statements" isn't any more complex. The thing is: there is so much code to be written, that even these students - who evidently don't u
byswilver ( 617741 ) writes:
Too many frameworks... that's a good one. You're worried about the vulnerabilities in some of the most stable, highly scrutinized, fully unit tested and secure frameworks Java has on offer and because of that... you roll your own.
I guess I know what is really wrong with the industry: developers that think they can create their own framework, replacing several dozen man years of coding, debugging and testing in just a few days -- and then having the arrogance to think it will contain less vulnerabilities ri
byTheRaven64 ( 641858 ) writes:
Depend on the amount of code from the framework you actually need. If you're bringing in half a million lines of code to do something that could be done in a couple of thousand, then you're probably better off rolling your own: it's going to have far more tightly coupled logic and be more amenable to static analysis, as well as being an easier target to fuzz test.
If, on the other hand, you end up implementing most of the logic in a dependency, then you're probably better off using the one that's widely deployed. Even then it's not so clear cut, because it depends a bit on your threat model. There will likely be more vulnerabilities in your code, but (for most deployments) there will be more attackers for the generic code because other higher-value targets will be using the same framework and someone who finds a vulnerability in it will be doing so with the aim of attacking one of them - but that doesn't help you when the script kiddie that buys their exploit decides to attack you though. You're trading increased vulnerability to generic attacks for increased vulnerability for targeted attacks.
Parent
twitter
facebook
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Slashdot
●
●
Submit Story
It is much harder to find a job than to keep one.
●FAQ
●Story Archive
●Hall of Fame
●Advertising
●Terms
●Privacy Statement
●About
●Feedback
●Mobile View
●Blog
Do Not Sell or Share My Personal Information
Copyright © 2026 Slashdot Media. All Rights Reserved.
×
Close
Working...
Working...