[Owasp-leaders] Zone transfer

Christian Heinrich christian.heinrich at owasp.org
Fri Jun 11 07:18:10 EDT 2010


Stephen,

On Wed, Jun 9, 2010 at 9:15 PM, Stephen de Vries
<stephen at twisteddelight.org> wrote:
>> FYI - aside from Reputation, the other two business related risks are
>> Financial (e.g. GFC) and Regulatory.
>
> How's that then?  As Jeff has pointed out, if no private data is exposed then it doesn't introduce a new risk.  It's like saying SQL is an >inherent security risk, because sometimes you can use it to perform SQL injection attacks.

The difference between "inherent' risk and "residual" risk is that the
mitigating controls are considered when measuring the "residual risk"
only.

In the context of your SQL injection example, the "inherent" risk and
"residual" risk can have the same value if both of the following
controls aren't applied (i.e. applying 1 or 2 would reduce the
"residual" risk):
1. "parameterized statements" are not used *and* the;
2. Input from the web browser isn't "escaped" of SQL related
characters e.g. single quote, etc


-- 
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


More information about the OWASP-Leaders mailing list