Comment by comex
5 hours ago
In most cases security is not a matter of adding anything in particular, but a matter of just not making specific types of mistakes.
5 hours ago
In most cases security is not a matter of adding anything in particular, but a matter of just not making specific types of mistakes.
Maybe I'm being dumb but that reads very contradictory? I would say that security is explicitly a matter of adding particular things.
Not an OP, but seems like you might be talking about different things.
Security could be about not adding certain things/making certain mistakes. Like not adding direct SQL queries with data inserted as part of the query string and instead using bindings or ORM.
If you have insecure raw query that you feed into ORM that you added on top - that's not going to make query more secure.
But on the other hand when you're securing some endpoints in APIs you do add things like authorization, input validation and parsing.
So I think a lot depends on what you mean when you're talking about security.
Security is security - making sure bad things don't happen and in some cases it's different approach in the code, in some cases additions to the code and in some cases removing things from the code.