Ever come up against this issue? You see that something in the IT infrastructure is set up in a less than sanitary way: for example the application has dynamic SQL, or the security of the database relies on the application. One link in the chain seems incredibly weak, but an actual vulnerability has yet to be proven.
So you want to report this issue, because you suspect there might be security vulnerabilities, only to get the response that it sounds very theoretical. Which makes you think if they said the same at all those companies that got hacked recently. You know: Target, Home Depot and Sony.
This sort of makes the burden of proof on you, because if you don’t show the problem, there is no problem. So you want to show how a hack could work on this system. But hacking is hard and takes skill and time. Suppose you don’t have those skills or time?
Hmm. Well, you could try to describe how a hack could work. You say “suppose this field can be used in a SQL injection leak, then I could exploit that feature, and I might read customer data”. But that makes this hypothesis a target: “That field is used in an insert statement, so that hack could never work”.
That’s the annoying thing about this work: the issue at hand is not that you are unable to come up with a hack. The issue is that there are security-related sanitary issues.
I think I will call this the invulnerability fallacy. The invulnerability fallacy says that if one person (you) can’t hack a system, that there is automatically no security issue.
Never forget to bring the focus back to the real issue.