From 8ec4f7a524eeb862a7df2d18cf799beb1c72fbd6 Mon Sep 17 00:00:00 2001
From: kmcquade <kinnairdm@gmail.com>
Date: Sun, 7 Jul 2024 18:34:16 -0400
Subject: [PATCH] Update the README

---
 README.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5f083af..e39e704 100644
--- a/README.md
+++ b/README.md
@@ -13,11 +13,13 @@ The findings are also **not** discoverable through other Dynamic Application Sec
 
 # Motivation
 
-**Why did I create this?** Unfortunately, the security industry has been heavily focused on "known vulnerabilities" that are not exploitable - whether that's CVEs or cloud misconfigurations. This isn't the fault of engineers or founders in those industries - it's a narrative and culture that's pushed by VCs and vendors with big marketing budgets. As a result, we're fed a cyclical narrative that known vulnerabilities in third party or OSS software are the only things that matter. This is not true.
+**Why did I create this?** Unfortunately, the security industry has been heavily focused on "known vulnerabilities" that are not exploitable - whether that's CVEs or cloud misconfigurations. This isn't the fault of engineers or founders in those industries - it's a narrative and culture that's pushed by VCs and vendors with big marketing budgets. As a result, many people in the industry are left thinking that known vulnerabilities in third party or OSS software are the only things that matter. This is not true.
 
-The Application Security industry as a subset is also heavily focused on SAST - which is known to generate a ton of noise. Over 99% of SAST findings do not result in an exploitable security vulnerability. _This is not to say that SAST is not useful_ - it is. But it's not the only thing that matters.
+The Application Security industry as a subset is also heavily focused on SAST - which is known to generate a ton of noise. Over 99% of SAST findings do not result in an exploitable security vulnerability. And many times, like in this Broken Flask app, many SAST tools don't even find the vulnerability because it's a game of writing rules in whack-a-mole fashion. _This is not to say that SAST is not useful_ - it is. But it's not the only thing that matters.
 
-_The only thing that matters is **exploitability**_. If a tree falls in a forest and no one is around to hear it, does it make a sound? If a 3rd party package or SAST finding exists in your codebase, and it's not exploitable, does it matter? **No**. It doesn't.
+_The **only** thing that matters is **exploitability**_. If a 3rd party package or SAST finding exists in your codebase, and it's not exploitable, does it matter? **No**. It doesn't.
+
+If you don't get anything else out of what I have to say here, it's this - I hope 
 
 # Getting Started
 
@@ -69,6 +71,8 @@ make snyk
 
 ### DAST Scans
 
+#### NightVision
+
 * If you have access to [NightVision](https://www.nightvision.net), you can run a DAST scan in a few minutes:
 
 ```bash
@@ -95,6 +99,10 @@ nightvision scan --target broken-flask-local
 
 NightVision **will** discover SQL Injection in the application.
 
+#### ZAP
+
+ZAP, formerly known as OWASP ZAP, is a free and open-source web application and API security scanner.
+
 * Run this command to perform a scan with ZAP (DAST):
 
 ```bash