In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they've heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, "that's impossible..." followed by one of the statements below. Developer doesn't understand how the web works
- "Users can't change the value of a dropdown"
- "That option is greyed out"
- "We don't even link to that page"
Developer doesn't understand the difference between network and application security
- "That application is behind 3 firewalls!"
- "We're using SSL"
- "That system isn't even exposed to the outside"
Developer doesn't understand a vulnerability class
- "That's just an error message" (usually related to SQL Injection)
- "You can't even fit a valid SQL statement in 10 characters"
Developer doubts attacker motivation
- "You are using specialized tools; our users don’t use those"
- "Why would anyone put a string that long into that field?"
- "It's just an internal application" (in an enterprise with 80k employees and a flat network)
- "This application has a small user community; we know who is authenticated to it" (huh?)
- "You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!"
Developer cites incorrect or inadequate architectural mitigations
- "You can’t execute code from the stack, it is read-only on all Intel processors"
- "Our WAF protects against XSS attacks" (well, clearly it didn't protect against the one I'm showing you)
Developer cites questionable tradeoffs
- "Calculating a hash value will be far too expensive" (meanwhile, they're issuing dozens of Ajax requests every time a user click a link)
So that's what we came up with in about half an hour, and I know there are dozens that we've forgotten about in our old age (you know, over age 30). This drives home the point that education is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don't teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause. Submit your best "that's impossible" lines in the comments! I know there are some good ones out there.