With so many APIs and frameworks out there, there are many different ways to accomplish the same task. The problem is that each way (or method) usually exhibits different behavior when given malicious input. The challenge for us is to (1) find bad behavior in the APIs/frameworks we use, (2) apply fixes consistently, and (3) remember all of the ways things can go wrong. (1) is difficult but doable, (2) is more challenging, and (3) is arguably impossible for a person to do alone. The fact that APIs change frequently, even if changed for the better, exacerbates the problem because it’s costly to go back and consistently make changes across existing applications.