In a previous post on theoretical Appsec vulnerabilities, I covered how “it’s theoretical” is misused by those who are trying to avoid fixing a security vulnerability or taking responsibility for it-for example, the Lenovo Superfish breach, Heartbleed, and airline wifi attacks.
The idea that a vulnerability is merely theoretical is not only ignorant but dangerous. Software exploits occur because bad actors operate by finding unexpected loopholes in a software system. Think of it this way – if you left your door unlocked is it a security issue? Or perhaps “If an unlocked door is never entered, is it really unlocked” if you’re a philosopher. One could contend that the risk is theoretical, but most of us would say that such a statement is ridiculous. (Props to those who live in an area where door security isn’t required.)