I have been testing Security Aspects of one web application. Security Requirement doesn't state any thing explicitly about Remember Password and Auto fill feature and I want to know If these features could be disabled from application end. (These feature are specific to browsers and I find it risky to have these left out on browsers.)
I discussed these with my dev team and they feel that it should be handled at the browser level. Please have your remarks if any one you encountered such situation.
I find smoking a risky habit, still I don't blow up cigarette factories [img]/images/graemlins/smile.gif[/img]
Well, I suggest you to analyze what type of users will be using your system ("internet-cafe" or corporate users behind well managed firewalls) and what are their security expectations (my expectations for this site is less than for e-banking system where one could steal all my money). Next tell your stakeholder why do yo think it is risky .