Q: Why does ApexSec report ‘Default (Unset)’ values as being vulnerable?

A: ApexSec works on the principle of explicit security not implicit security,  as a result default values must not be present in the application. The meaning of an items default setting can and has changed between APEX versions.

Q: Why does ApexSec report ‘Undefined’ items as being vulnerable?

A: ApexSec tries to ‘fail safe’. If an item is Undefined this could be a problem with the analysis or,  most of the time,  the item doesn’t exist and should be removed.