/may 19, 2009

But That's Impossible!

By Chris Eng

In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they've heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, "that's impossible..." followed by one of the statements below. Developer doesn't understand how the web works

  • "Users can't change the value of a dropdown"
  • "That option is greyed out"
  • "We don't even link to that page"

Developer doesn't understand the difference between network and application security

  • "That application is behind 3 firewalls!"
  • "We're using SSL"
  • "That system isn't even exposed to the outside"

Developer doesn't understand a vulnerability class

  • "That's just an error message" (usually related to SQL Injection)
  • "You can't even fit a valid SQL statement in 10 characters"

Developer doubts attacker motivation

  • "You are using specialized tools; our users don’t use those"
  • "Why would anyone put a string that long into that field?"
  • "It's just an internal application" (in an enterprise with 80k employees and a flat network)
  • "This application has a small user community; we know who is authenticated to it" (huh?)
  • "You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!"

Developer cites incorrect or inadequate architectural mitigations

  • "You can’t execute code from the stack, it is read-only on all Intel processors"
  • "Our WAF protects against XSS attacks" (well, clearly it didn't protect against the one I'm showing you)

Developer cites questionable tradeoffs

  • "Calculating a hash value will be far too expensive" (meanwhile, they're issuing dozens of Ajax requests every time a user click a link)

So that's what we came up with in about half an hour, and I know there are dozens that we've forgotten about in our old age (you know, over age 30). This drives home the point that education is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don't teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause. Submit your best "that's impossible" lines in the comments! I know there are some good ones out there.

Veracode Security Solutions

Source Code AnalysisSoftware Testing ToolsStatic Analysis Tool Web Application Security Vulnerability Assessment Application Analysis Application Security

Security Threat Guides

Related Posts

By Chris Eng

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE's CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.