[Owasp-leaders] Zone transfer

Stephen de Vries stephen at twisteddelight.org
Fri Jun 11 09:29:42 EDT 2010


On Jun 11, 2010, at 1:18 PM, Christian Heinrich wrote:
>> How's that then?  As Jeff has pointed out, if no private data is exposed then it doesn't introduce a new risk.  It's like saying SQL is an >inherent security risk, because sometimes you can use it to perform SQL injection attacks.
> The difference between "inherent' risk and "residual" risk is that the
> mitigating controls are considered when measuring the "residual risk"
> only.

Ok, so in the case of zone transfers, the inherent risk is that sensitive data could be revealed by the zone transfer.   The mitigating control is that the transfer doesn't contain any private or sensitive data, therefore the residual risk is low.

More information about the OWASP-Leaders mailing list