Daniel Cuthbert daniel.cuthbert at owasp.org
Thu Aug 11 10:46:18 EDT 2005

and which i agree, but we all have to realize what this guide is  
focusing on and thats web application assessments. 80% of the work im  
doing now relates to developer training and awareness and OWASP does  
have other projects which talk about this, but we have to stick to  
what is checked for in a web application assessment only

On 11 Aug 2005, at 15:42, Dan Cornell wrote:

>> Im in the same camp on this one, if there is no DIRECT
>> security risk, then its not a security related issue.
>> Ive seen too many "conslutancies" who make a css.bak file
>> high risk as some tool/paper said it was
> It is true that from an _application_ assessment standpoint if a  
> backup
> file doesn't have a vulnerability or leak information then it isn't an
> issue.
> However from a _process_ assessment standpoint the practice of  
> "version
> control by .bak file" is terrible and can have disastrous security
> implications.
> Any consultancy that lists a css.bak file as a HIGH risk vulnerability
> is irresponsible, but not coaching organizations to use proper version
> control and to remove unneeded files from their deployments is also
> irresponsible.  I don't know what everyone else's experience has been
> but we have found that developer education is as much as part of  
> most of
> our application assessment engagements as actually finding
> vulnerabilities.
> Thanks,
> Dan

More information about the Owasp-testing mailing list