Junilu Lacar wrote:This is the classic "Build vs Buy" question, right? When it comes to security, there are certain things you don't want to do yourself but rather rely on reputable and trusted third parties. The prime example are crypto libraries. You don't want to roll your own when it comes to this. I wouldn't want to roll my own application security framework either. Frameworks like Spring Security are things that you leverage and build on top of.
I think the key is to understand whatever technologies you are using and include them in your security risk assessment and profile. You need to be constantly vigilant and diligent in keeping up with newly discovered vulnerabilities in these technologies and staying current with patches and updates. If anything, security is really an ongoing practice and discipline.
I use a lot of open source components for security. Especially in
Java. For crypto, Google KeyCzar. For encoding, The OWASP Java Encoder Project. BUT I verify all of them. I suggest you at least check to see if the project is active and if any security issues were found in the past. Also sign up for that projects security email list or dev list to understand what issues arise. Sure, use third party components, but do your due diligence to ensure quality and security and be ready to update quickly. This is not always easy.