Unforgivable Vulnerabilities presented at Blackhat USA 2007

by Steven M. Christey,

Tags: Security Development

Summary : For some products, it's just too easy to
find a vulnerability. First, find the most heavily used functionality,
including the first points of entry into the product. Then, perform the
most obvious attacks against the most common vulnerabilities. Using this
crude method, even unskilled attackers can break into an insecure
application within minutes. The developer likely faces a long road ahead
before the product can become tolerably secure; the customer is sitting
on a ticking time bomb. This turbo talk will identify some of the
Unforgivable Vulnerabilities that illustrate a systematic disregard for
secure development practices. I will conclude with a call-to-arms for
establishing Vulnerability Assessment Assurance Levels (VAAL), and
nominate these Unforgivable Vulnerabilities as examplars of VAAL-0.