IMHO, it's both. In general, we've seen articles where some extremely basic npm package gets 'owned', raising the question of, 'why are we using a package to find leap years' or some such. So unnecessary package/library dependency is one. Of course, the naive response to it is to keep a 500-person security team, where each package an employee needs is reviewed one after another (by the 500-person team).
Alternatively, it's also language architecture that allows for memory-related bugs/leaks/etc. High-level languages vs low-level languages. So I wouldn't blame it all on packages. Of course, there's now a whole industry of money extraction based on package scanning and that. - KB ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, December 14th, 2021 at 6:03 AM, Andrew Rowley <[email protected]> wrote: > On 14/12/2021 12:04 am, John McKown wrote: > > > I don't think COBOL is explicitly, or implicitly, more secure than the base > > > > Java language. The "problem" is not the Java language, but the Internet > > > > infrastructure built into the Java libraries and "add on" facilities such > > > > as LOG4J. A COBOL programmer would most likely write their own logging > > > > facility whereas a Java programmer would have a much larger selection of > > > > "prebuilt" libraries to use & would so likely use them. These facilities > > > > might or might not have any vulnerabilities in them. > > I still see that as problems with the libraries rather than the > > language. You can choose whether or not to use the libraries that are > > available. I suspect that locally written software has many more > > security problems than commonly used libraries, but you end up with your > > own individual bugs rather than the bug that everyone on the internet > > knows about. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Andrew Rowley > > Black Hill Software > > ----------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
