Unforgivable Vulnerabilities presented at BlackHatDC 2007

by Steve Christey,

URL : https://www.blackhat.com/presentations/bh-usa-07/Christey/Presentation/bh-usa-07-christey.pdf

Summary : For some products, it's just too easy to find a vulnerability. First, find the most heavily used functionality, including the first points of entry into the product. Then, perform the most obvious attacks against the most common vulnerabilities. Using this crude method, even unskilled attackers can break into an insecure application within minutes. The developer likely faces a long road ahead before the product can become tolerably secure; the customer is sitting on a ticking time bomb. This turbo talk will identify some of the Unforgivable Vulnerabilities that illustrate a systematic disregard for secure development practices. I will conclude with a call-to-arms for establishing Vulnerability Assessment Assurance Levels (VAAL), and nominate these Unforgivable Vulnerabilities as examplars of VAAL-0.