Q: Why does ApexSec report ‘Default (Unset)’ values as being vulnerable?
A: ApexSec works on the principle of explicit security not implicit security, as a result default values must not be present in the application. The meaning of an items default setting can and has changed between APEX versions.
Q: Why does ApexSec report ‘Undefined’ items as being vulnerable?
A: ApexSec tries to ‘fail safe’. If an item is Undefined this could be a problem with the analysis or, most of the time, the item doesn’t exist and should be removed.