|
|
|
|
|
|
by est31
1814 days ago
|
|
|
I think this is a really great article and highlights an important weakness that modern security tools in this context have: they don't distinguish between vulnerabilities that can be triggered by malicious developer code, and vulnerabilities that can be triggered by malicious users/websites. For a proper assessment, such differences need to be encoded in the security advisory, and the audit tool needs to analyze if the code is called at run time or build time, and then act accordingly. |
|
|