[Owasp-leaders] Zone transfer

Stephen de Vries stephen at twisteddelight.org
Wed Jun 9 07:15:13 EDT 2010


On Jun 9, 2010, at 1:06 PM, Christian Heinrich wrote:
> 
> AXFR is a business related risk to OWASP due to the impact to our
> (i.e. OWASP) reputation.

Or you could see it as a great advertisement for how organisations should look at the whole business context in order to properly evaluate risk.
  
> FYI - aside from Reputation, the other two business related risks are
> Financial (e.g. GFC) and Regulatory.

How's that then?  As Jeff has pointed out, if no private data is exposed then it doesn't introduce a new risk.  It's like saying SQL is an inherent security risk, because sometimes you can use it to perform SQL injection attacks.


Stephen

> 
> On Mon, Apr 12, 2010 at 3:27 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
>> All,
>> 
>> I greatly appreciate the interest and concern in OWASP's security and
>> reputation. I'd like to take this opportunity to once again recognize
>> Larry's excellent support of the OWASP network and application
>> infrastructure over the years. Few of you will probably ever meet him, but
>> he has helped virtually all of us and we work under the blanket of his
>> protection every day!
>> 
>> Rest assured that Larry has been on top of the DNS situation for quite a
>> while and we just haven't been able to find another provider that is a
>> better fit for OWASP. This is a great case study in why vulnerabilities
>> aren't risks (as we have now hopefully made clear in the new T10 being
>> released very soon). You always have to consider the business context of any
>> vulnerability you discover. In this case, nobody has articulated a serious
>> risk to OWASP.
>> 
>> However, we are absolutely committed to making our infrastructure secure -
>> both for protection and as an example to others. We always welcome
>> constructive information about the security of our OWASP infrastructure.
>> 
>> Thanks Larry - great job as usual.
>> 
>> --Jeff
> 
> -- 
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list