[olddustytrail]

You can't just fix that in code. FTP and SFTP are completely different protocols that use different servers.

You need a new server to talk to in order to fix that. And if it's a customer server maybe it can only do FTPS rather than SFTP.

[itake]

Yeah… so this example is saying “you need to redesign your infrastructure before you can merge this change in.”

If sftp is a requirement, it should have been captured earlier in the process and not after the integration code was written.

[gmontard]

In an ideal world security tools like this one should be useless… but unfortunately we don’t all live in this world where security requirements are all captured, understood and implemented correctly.

This is what just an exemple, think about application level encryption, leakage in logger messages etc.