[OWASP-TESTING] OWASP WAPT submission

Dan Cornell dan at denimgroup.com
Thu Aug 11 10:42:36 EDT 2005


> Im in the same camp on this one, if there is no DIRECT 
> security risk, then its not a security related issue.
> Ive seen too many "conslutancies" who make a css.bak file 
> high risk as some tool/paper said it was
> 

It is true that from an _application_ assessment standpoint if a backup
file doesn't have a vulnerability or leak information then it isn't an
issue.

However from a _process_ assessment standpoint the practice of "version
control by .bak file" is terrible and can have disastrous security
implications.

Any consultancy that lists a css.bak file as a HIGH risk vulnerability
is irresponsible, but not coaching organizations to use proper version
control and to remove unneeded files from their deployments is also
irresponsible.  I don't know what everyone else's experience has been
but we have found that developer education is as much as part of most of
our application assessment engagements as actually finding
vulnerabilities.

Thanks,


Dan




More information about the Owasp-testing mailing list