Add "Hence This is Not a Flaw" Joke/Real Story to the book #434
Description
Outsourced Development Team's response on SQL Injection and Cross-Site Scripting flaws found by a SAST source code scan (real story, major bank):
"We have investigated the below mentioned flaws for XYZ-New application and below are the respective comments,
FLAW: CWE ID:89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - 10 flaws
Comment: Using JDBC technology of java as provided by Oracle Corp., there is a predefined method called executeQuery() which is used to execute SQL statements in database through java. Hence this is not a flaw.
FLAW: CWE ID:80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - 325 flaws
Comment: With the help of Servlet technology, there is a predefined class- PrintWriter in java which is used to print HTML content in a webpage. Hence this is not a flaw."