So take a very simple requirement like logging output from your software and let’s use a big framework like Log4J which is packed full of functionality which you don’t understand.
What could possibly go wrong?
Log4J is a bit of a wake up call about the how developers do need to be more careful about what code and tools they include in their software. Complexity is a real problem when it comes to security. It’a analogous to the problems that Covid exposed in our supply chain.
This all ties into how we think about quality insurance. Prashanth Sri (Unlicensed) and I discuss this in this video.
Question is - how well is this problem understood in the wider industry? At this point not too widely I think.