[Owasp-leaders] Zone transfer

Victor Chapela victor at sm4rt.com
Wed Jun 9 08:26:51 EDT 2010


I agree completely with promoting proper risk management. 

I suggest we add three or four A records to the DNS, that when transfered, state this point. These records could be: "zone-transfers-intentionally-left-on", "our-DNS-information-has-been-classified-as-public", "the-risk-of-sharing-this-information-has-been-determined-to-be-very-low-or-non-existant" and "in-accordance-with-risk-management-best-practices-this-risk-has-been-accepted".

Finally, we could have zone-transfer.owasp.org pointing to a page that explains our risk management philosophy. This page could be titled "Why do we leave our DNS zone transfer on?" 

Regards,
Victor Chapela



--------------------------
Sent using BlackBerry


----- Original Message -----
From: owasp-leaders-bounces at lists.owasp.org <owasp-leaders-bounces at lists.owasp.org>
To: owasp-leaders at lists.owasp.org <owasp-leaders at lists.owasp.org>
Sent: Wed Jun 09 08:03:38 2010
Subject: Re: [Owasp-leaders] Zone transfer

> On Jun 9, 2010, at 1:06 PM, Christian Heinrich wrote:
>> 
>> AXFR is a business related risk to OWASP due to the impact to our
>> (i.e. OWASP) reputation.
>
> Or you could see it as a great advertisement for how organisations should
look at the whole > business context in order to properly evaluate risk.

This is exactly the message I think we should emphasize. Security for
compliance's sake is stupid. If OWASP stands for anything, it's exactly the
notion that making informed decisions about risk is the way forward.  Now of
course we don't want to damage our reputation, so I need everyone's help in
responding to nonsense.

--Jeff

> Stephen

> 
> On Mon, Apr 12, 2010 at 3:27 PM, Jeff Williams <jeff.williams at owasp.org>
wrote:
>> All,
>> 
>> I greatly appreciate the interest and concern in OWASP's security and
>> reputation. I'd like to take this opportunity to once again recognize
>> Larry's excellent support of the OWASP network and application
>> infrastructure over the years. Few of you will probably ever meet him,
but
>> he has helped virtually all of us and we work under the blanket of his
>> protection every day!
>> 
>> Rest assured that Larry has been on top of the DNS situation for quite a
>> while and we just haven't been able to find another provider that is a
>> better fit for OWASP. This is a great case study in why vulnerabilities
>> aren't risks (as we have now hopefully made clear in the new T10 being
>> released very soon). You always have to consider the business context of
any
>> vulnerability you discover. In this case, nobody has articulated a
serious
>> risk to OWASP.
>> 
>> However, we are absolutely committed to making our infrastructure secure
-
>> both for protection and as an example to others. We always welcome
>> constructive information about the security of our OWASP infrastructure.
>> 
>> Thanks Larry - great job as usual.
>> 
>> --Jeff
> 
> -- 
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list