A vulnerability is a possible location of a bug. There's no evidence to suggest a bug exists, but based on experience, knowledge of the system, discussion with colleagues, use of oracles, its an indicator of where bugs may lie. Its not a coverage map, though I could see the vulnerability map being used in conjunction with the product map. How does this tie in with a risk list? A risk list is also a list of possible vulnerabilities but its only based on investigation of the product. Vulnerabilities are broader than that as they include conversations, looking at support and reading documentation (though a risk list could come from that too I g uess)
Where in the product have I detected or imagined vulnerability?
Validity of the algorithm
It's complicated - how can that have been tested well?
how easy would this be to test?
Is it third party software (opensource?)
Interaction with other systems
It didn't seem to work with website
How does it interact if you register with facebook?
Input Fields
Traditional Area of potential vulnerability
Also coupled with database - can lead to db crash?
Importing
As I toured I thought about what possible vulnerabilities
for import - importing from a different password system - that may cause problems
Password character length
How can I make it go negative?
allows you to create excessively long password that's not accepted by other systems
Test Password Expiration
Time typically has bugs in it becaused its used in different ways that people imagine
Password Repeat
What if when you repeat the password differently its fine with that?
fails to ensure the password is correct by being entered twice
allows copy and paste of 2nd password so user may enter incorrect password twice
Database Vulnerabilities
data not properly encrypted
database easily corrupted
can't backup database and passwords
database fields have no boundary limits
Installation
admin rights?
no recourse if you are not admin
no proper feedback if you are not admin
different operating systems
requires additional software without giving prior notice
Stress:
What's the limit for passwords? How many can I enter before it fails to accept any more?
what if I export the contents onto a different computer with less memory and hardware and it fails to allow me to import?
What have I heard about the product that suggests vulnerability
Andrei mentioned he had used it once and it was sluggish
Mac requires additional software
After reading the specification what vulnerabilities are suggested to me?
After releasing what vulnerabilities are detected?
Preconceptions
What makes me trust the product?
Its got requirements (a certain sense of rigour?)
What Makes me doubt the product?
My knowledge of an existing product that is slick
What Andrei said about the product on Mac
Do I trust this product?
I suspect I trust the algorithmn
I would imagine its hard to break
Don't trust the security
Was able to paste my password into a word doc
what other things are insecure?
Don't trust the reliability
This is the biggie for me, I dont want to lose all my passwords
It's not well thought out from a system perspective
what other things are not well thought out?
Performed 90 minutes survey testing
Imagine all the things that could go wrong
My data is corrupted
Too large a password generated?
Username to long for database?
url to long for database?
password generation corrupts my data
dummy .key file corrupts the system
My data is stolen
You can find an easy way to access my passwords if my laptop is stolen
It becomes too hard to use with other products
Hard to use on websites, email systems and networking products
It's too difficult to use
the interface is too unfamiliar
It's not easily portable
Ipad, Iphone? (non usb)
I download on onto a usb but can't use on apple products as there is no usb
What do I know about other similar products that help me identify vulnerability?
Cross Platform Integration
what if I move to an ipad? How do I login then?
what if I'm on my iphone, how do I login?
Wondershare EdrawMind
