Chris Eng has a hilarious post over on the Veracode blog. God knows I've heard a number of these over the years...
I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they’ve heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, “that’s impossible…” followed by one of the statements below.
Developer doesn’t understand how the web works
* “Users can’t change the value of a dropdown”
* “That option is greyed out”
* “We don’t even link to that page”
Developer doesn’t understand the difference between network and application security
* “That application is behind 3 firewalls!”
* “We’re using SSL”
* “That system isn’t even exposed to the outside”
Developer doesn’t understand a vulnerability class
* “That’s just an error message” (usually related to SQL Injection)
* “You can’t even fit a valid SQL statement in 10 characters”
Developer doubts attacker motivation
* “You are using specialized tools; our users don’t use those”
* “Why would anyone put a string that long into that field?”
* “It’s just an internal application” (in an enterprise with 80k employees and a flat network)
* “This application has a small user community; we know who is authenticated to it” (huh?)
* “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”
