On Sat, 2005-02-19 at 16:12 +0200, Willem Koenings wrote: > - user input is correctly sanitized and there is no flaw > - use input is not correctly sanitized and there is a flaw I've seen cases where user input is correctly sanitized, but there was a flaw. If you tested your whole parameter set and don't find a flaw, it doesn't mean that none exists. There could be a flaw that you haven't found with your set of tests. That's what the quote is eluding to. You can say for sure that there is a flaw, but you can not say for sure that there is not one. You can't test for the absence. > So above saying is not always completly true. But you can't use > testing to find something you don't know at this exact moment - > unknown flaws. Well, that's exactly the point of the quote :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html