[Owasp-leaders] Zone transfer

Eoin eoin.keary at owasp.org
Wed Jun 9 07:26:53 EDT 2010


Indeed,
Tehcnical Risk != Business Risk in all cases.





On 9 June 2010 12:15, Stephen de Vries <stephen at twisteddelight.org> wrote:

>
> On Jun 9, 2010, at 1:06 PM, Christian Heinrich wrote:
> >
> > AXFR is a business related risk to OWASP due to the impact to our
> > (i.e. OWASP) reputation.
>
> Or you could see it as a great advertisement for how organisations should
> look at the whole business context in order to properly evaluate risk.
>
> > FYI - aside from Reputation, the other two business related risks are
> > Financial (e.g. GFC) and Regulatory.
>
> How's that then?  As Jeff has pointed out, if no private data is exposed
> then it doesn't introduce a new risk.  It's like saying SQL is an inherent
> security risk, because sometimes you can use it to perform SQL injection
> attacks.
>
>
> Stephen
>
> >
> > On Mon, Apr 12, 2010 at 3:27 PM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
> >> All,
> >>
> >> I greatly appreciate the interest and concern in OWASP's security and
> >> reputation. I'd like to take this opportunity to once again recognize
> >> Larry's excellent support of the OWASP network and application
> >> infrastructure over the years. Few of you will probably ever meet him,
> but
> >> he has helped virtually all of us and we work under the blanket of his
> >> protection every day!
> >>
> >> Rest assured that Larry has been on top of the DNS situation for quite a
> >> while and we just haven't been able to find another provider that is a
> >> better fit for OWASP. This is a great case study in why vulnerabilities
> >> aren't risks (as we have now hopefully made clear in the new T10 being
> >> released very soon). You always have to consider the business context of
> any
> >> vulnerability you discover. In this case, nobody has articulated a
> serious
> >> risk to OWASP.
> >>
> >> However, we are absolutely committed to making our infrastructure secure
> -
> >> both for protection and as an example to others. We always welcome
> >> constructive information about the security of our OWASP infrastructure.
> >>
> >> Thanks Larry - great job as usual.
> >>
> >> --Jeff
> >
> > --
> > Regards,
> > Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> > OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100609/0ff1ef90/attachment-0001.html 


More information about the OWASP-Leaders mailing list