Discuss: x isn't a security boundary because ... (where x is represented in https://attack.mitre.org/datacomponents/ or other control lists).

timb_machine@infosec.exchange

Discuss: x isn't a security boundary because ... (where x is represented in https://attack.mitre.org/datacomponents/ or other control lists).

Counter point: Anything that changes the profile of the attack surface and presents an opportunity for detection can be considered a security boundary. Some may be more effective than others, some may have bugs, others may be configured badly but they all have some boundary value. The point of a security test is to point out the bugs and misconfigurations.