[avery17]

I always thought the internet would get more sophisticated and secure as time went on and my days of SQL injection were limited to my teenage years but it seems as the internet becomes more accessible the number of armature developers putting insecure websites up in rising raidly.

[crooked-v]

Web dev land has a borderline pathological obsession with NEW NEW NEW, which contributes to much of it.

[jakubmazanec]

That's not the reason why web development is in its current state (not bad, actually). The reason is simple: it is difficult and therefore costly to make good and secure web app, and their owners are not willing to spend money/energy on this. Actually I would argue the speed of changes in web development is useful, because it lowers this cost. HN folks love to hate on e.g. Next.js and Vercel, but there's a reason they're so popular (though you should still spend much more resources on UX and security than average Next.js dev does).

[barryrandall]

A lot of companies with SQL injection vulnerabilities remediated them by buying security appliances advertised to stop SQL injection attacks. That works for a while until time and turnover result in someone optimizing the appliance out of the stack. Then the cycle repeats.

[jiggawatts]

Those things are digital snake oil. If you turn on the web application firewall (WAF) features your app breaks. If you “tune” it to fix that, you let the attackers back through.

You can’t use a dumb appliance to fix developer stupidity.

[barryrandall]

That doesn’t stop businesses from falling for the sales pitch.

[bigiain]

Or auditors from ticking that box.