In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they've heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, "that's impossible..." followed by one of the statements below. Developer doesn't understand how the web works
Developer doesn't understand the difference between network and application security
Developer doesn't understand a vulnerability class
Developer doubts attacker motivation
Developer cites incorrect or inadequate architectural mitigations
Developer cites questionable tradeoffs
So that's what we came up with in about half an hour, and I know there are dozens that we've forgotten about in our old age (you know, over age 30). This drives home the point that education is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don't teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause. Submit your best "that's impossible" lines in the comments! I know there are some good ones out there.