1. 2

    … web apps fix those but then re-introduce their own very similar mistakes: SQL injection, XSS, XSRF, header injection, MIME confusion, and so on. This leads to a simple thesis: I put it to you that it’s impossible to write secure web apps.

    Not sure about that conclusion - SQL injection is preventable by prepared statements, XSS and XSRF are preventable by CORS. These aren’t considerations made in the design phase relating to the architecture that I’d agree are hard/impossible to prevent, these are exploits that should be handled by abstraction layers in the frameworks you use.

    1. 2

      SQL injection is preventable by prepared statements

      Or more precisely: parameterized queries, where parameters are never interpreted as part of the query. The distinction between the two is important at least in Postgres, because prepared statements require more work on the client side than parameterized queries do.

      1. 2

        Just like memory overflows and double-frees should be solved by abstractions in the language you use :)

        1. 1

          XSS ans XSRF are not preventable by CORS to my knowledge. at the opposite, they are intinsic to web technology and bypass CORS.