How to write an application security finding