Great questions...
> Do you think that the EE6-libraries are safer than external frameworks?
No. Not not necessarily. It's possible to write a secure or insecure app using just about any framework. In theory, frameworks should provide the standard security controls to make security easier. Unfortunately, many of them are so powerful that they make some kind of security mistakes easier. In the end, it's really about understanding the technology, and making sure that there are defenses in place for the risks you foresee.
> Are security issues always related to the frameworks being used or does it have to do with the lack of knowledge of developers?
I don't look to framework to solve every security issue, so there is a lack of knowledge issue associated with every security flaw. However, I'm optimistic that frameworks can be used to make security massively simpler for developers.
> How do you keep your product up to date with all the security issues of the different frameworks in the market?
Two ways. First, because Contrast runs inside the running application we don't have to know as much about the inner workings of the framework as, say, static analysis tool. But we do have an excellent research team that make sure our product works properly on new frameworks.
You should see our
test suite... We test on about 20 different containers across six or seven operating systems and all the major frameworks. Each one of those combinations gets thousands of test cases run every time we change our agent.