IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk]

104 questions
6
votes
2 answers

What are the security benefits or risks of HTTP/2?

Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
5
votes
2 answers

What is the security risk of enabling persistent connection (HTTP Keep-Alive)?

By my understanding, the HTTP Keep-Alive header dictates whether the next packet of communication will be sent over the same connection or not, i.e., if the web app runs over SSL, and a Keep-Alive is enabled for, say 60 seconds, then: -any…
Hrishabh Sobti
  • 85
  • 2
  • 6
5
votes
4 answers

Security of Cloud Storage

What are the main security risks of popular cloud storage services such as Dropbox? I am torn between the convenience of cloud storage and the potential security risk of it. How can I evaluate whether a particular service meets my security…
h00j
  • 756
  • 1
  • 7
  • 18
5
votes
2 answers

How to convert risk scores (CVSSv1, CVSSv2, CVSSv3, OWASP Risk Severity)?

Is there an accurate method or formula to convert risk scores between the OWASP Risk Rating Methodology (Overall Risk Severity) and the CVSS v1, v2 and v3 models) base score)? As well as converting scores between the different CVSS versions? For…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
4
votes
3 answers

Does allowing everyone know when a server process was started pose a security risk?

I recently found that in Microsoft .NET framework an impersonated thread is not allowed to request "time at which the current process was started". This could be done intentionally or this could be some implementation deficiency. Is there any…
sharptooth
  • 2,161
  • 1
  • 19
  • 22
4
votes
1 answer

What are the risks of exposing the Docker for Windows daemon on localhost?

A developer running Docker for Windows needs to enable the option "Expose daemon on tcp://localhost:2375 without TLS" in Docker setting > General tab. There is a warning: Exposing daemon on TCP without TLS helps legacy clients connect to the…
Ortomala Lokni
  • 141
  • 1
  • 8
4
votes
1 answer

How can I do a maintainable and significant risk assessment in an organisation with thousands of assets?

The problems I see with the typical risk assessment are as follows: Maintaining the list of assets updated Maintaining the status of the treatments updated and the risk level coherent with that. Maintaining the dependency of the assets in a way…
Forced Port
  • 251
  • 1
  • 9
4
votes
3 answers

Are revealed personal emails a security risk?

I am a minor recently employed by a retail company, in the same batch as 10* other new recruits. I have not yet had the first day, however our manager has sent us all a warm welcoming email. The manager included everyone's emails in the CC box.…
Moe
  • 43
  • 2
4
votes
1 answer

Should a user be able to reset his password if his email address has not been verified yet?

Please consider a scenario where a user signs up for a web application with his email and password. After registration the user is sent a confirmation email which requires a login/session to confirm the email address. To reset his password the user…
hurb
  • 141
  • 5
4
votes
2 answers

Do high-level programming languages have more vulnerabilities or security risks than low-level languages?

Do high-level programming languages have more vulnerabilities or security risks than low-level programming languages and if so, why? Image source: http://a.files.bbci.co.uk/bam/live/content/znmb87h/large
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
4
votes
3 answers

Why is it dangerous to let an internal server talk to the internet (to a specific IP)?

Sort of a basic question, but if we have an internal server and want it to talk externally, for example to get new packages. This environment normally does not have access to the internet. I've heard it's "dangerous" to open access from that server…
Myelin
  • 151
  • 2
  • 6
4
votes
1 answer

Is there a security risk using a Symmetric-key for both encryption and HMACing

I am proposing to use an AES key to encrypt some data to send to a third party and in a completely separate operation/flow use the same key to create a HMAC of a message to send to the same third party. I have been told that this is a risk to use…
devo
  • 143
  • 3
4
votes
0 answers

What are the security implication of implementing an IVR functionality in my application?

I am planning to implement an Interactive Voice Recognition (IVR) functionality in my python-based application. I will be using IVR as a backup verification method or when a user is going to setup her 2FA for the first time. What are the security…
Dr. mattle
  • 300
  • 1
  • 10
3
votes
2 answers

Will a crossdomain.xml file reduce a potential security risk?

I maintain a website were users are allowed to upload files. I'm doing already some good MIME-checks, consistency checks, virus checks, blacklist checks based on hash lists, some other custom checks and also I used most of the best-practices around…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
3
votes
1 answer

Relationship between CVSS and Risk Level in Nessus output data

In a Nessus output file, does the Risk Level (e.g. Critical, High, Medium, Low, None) depend on the CVSS score? What relationship, if any, do the Risk Level and CVSS have? Thank yo
silverlight
  • 33
  • 1
  • 4
1
2
3 4 5 6 7