A lot of times you don’t have any control over it; like the log4j vulnerability catastrophe – people built applications on top of that software. You, the developer, may have written rock solidly secure code but log4j wasn’t.

The ELI5 of it is that most people don’t write bespoke code, that would be insane. We use libraries that are written by other developers. When someone says ‘framework’, what they often mean is something like AngularJS. Think of it like having a building that is delivered to you in pieces on flatbed trucks. You can assemble them many different ways, but you don’t have to sit there and wonder how you are going to make a wall. You have lots of walls sitting around. If those parts, if AngularJS itself has a security vulnerability **you the application developer may not be aware of it.**