[sievebrain]

You can't always enforce correctness. Consider the case of a typical web dev shop that hires a developer who thinks escaping is a good solution to SQL injection. It might get snuck past code review if you're unlucky.

There are static analysis tools that can identify such problems ... sometimes ... maybe ... depending on the language and frameworks in use. But to deploy such tools you have to know about them to begin with. And most devs can't simply produce such a tool if there isn't one on the market because that's not what they're being paid to do.

Unfortunately, knowhow can't be automated away entirely just yet.

[lmm]

> Consider the case of a typical web dev shop that hires a developer who thinks escaping is a good solution to SQL injection. It might get snuck past code review if you're unlucky. > There are static analysis tools that can identify such problems ... sometimes ... maybe ... depending on the language and frameworks in use.

Analysis tools are the wrong approach - that code should be simply impossible if you're typing things correctly, and inadequately typed code should be very obvious in code review.

> And most devs can't simply produce such a tool if there isn't one on the market because that's not what they're being paid to do.

Most devs could write such a thing if the company told them to. The reason "that's not what they're being paid to do" comes down to process.

[catnaroek]

> Most devs could write such a thing if the company told them to. The reason "that's not what they're being paid to do" comes down to process.

Most organizations barely have enough of a budget to implement the applications they actually need using already existing infrastructure (frameworks, tools, etc.). Asking these organizations to roll their own infrastructure is like asking ordinary people to run their own water or power utility.