[WEB SECURITY] Is a vulnerability a vulnerability if you didn't actively expose it?
Tasos Laskos
tasos.laskos at gmail.com
Thu Sep 30 15:27:13 EDT 2010
Thanks for your replies.
I had considered the suggestions and I know the limitations of automatic
scanning.
However I was more concerned about how results relative to the scenario
I described should be presented to the user.
AI is infeasible at this point; although I have often considered it
there aren't enough merits to justify implementation.
I've got some plans for it but it's not its time yet.
Concluding, I think that a compromise has to be made in these situations.
Like flagging the result with a "manual verification required" flag.
That's probably the path I'll follow unless someone else has a better
suggestion.
PS. Sorry it took me so long to respond I had some technical difficulties.
PS2. I hope I'm not tiring anyone with my constant inquiries.
People usually build software trying to guess what the users
need/want but in this case my user base would be people like you,
so since I have access to you I'd be remiss not to pick your
brains.
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
the confirmation email
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
More information about the websecurity
mailing list