"Let me show some examples of CodeQL code analysis. Projects allowed us to show this."

  • JavaScript project
  • JavaScript project
  • Go project
  • JavaScript project
  • Java project

I don't know, it's kinda like security threads are kinda linked with some certain languages...

Ok, that's not exactly that, it's just that languages allow direct use of inputs without sanitation or things of the like.

It's more like our frameworks being stupid and not giving enough protection one the things they manage.

Django, for example, never let an input coming from outside to hit your code unsanitized. Sure, you can still do something stupid if you want, but at least that is prevented by the framework itself.

Show thread

One cool thing about this CodeQL thingy is that it finds vulnerabilities by tracing how the data flows through the app.

... which is, basically, something I tout every time I talk about software development.

So I have to wonder, again, how would that work with Django, as it sanitizes input already.

Show thread
Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!