Dan Cornell dan at denimgroup.com
Thu Aug 11 10:42:36 EDT 2005

> Im in the same camp on this one, if there is no DIRECT 
> security risk, then its not a security related issue.
> Ive seen too many "conslutancies" who make a css.bak file 
> high risk as some tool/paper said it was

It is true that from an _application_ assessment standpoint if a backup
file doesn't have a vulnerability or leak information then it isn't an

However from a _process_ assessment standpoint the practice of "version
control by .bak file" is terrible and can have disastrous security

Any consultancy that lists a css.bak file as a HIGH risk vulnerability
is irresponsible, but not coaching organizations to use proper version
control and to remove unneeded files from their deployments is also
irresponsible.  I don't know what everyone else's experience has been
but we have found that developer education is as much as part of most of
our application assessment engagements as actually finding



More information about the Owasp-testing mailing list