[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10
Andrew van der Stock
vanderaj at owasp.org
Tue Nov 4 07:07:00 UTC 2014
I've had some feedback on Twitter about the OWASP Mobile Top 10.
Number 10 includes a control that I don't believe is a sound security
control (security through obfuscation). Coupled with the nature of the
employers of those who contributed, all of whom have some form of
obfuscation product, I'm really not comfortable that M10 is a sound
control or the risk of binary analysis is so high that requires it (no
other OWASP standard contains it!), and more to the point M10 has a
strong appearance of conflict of interest.
I know many of those involved in the project, and don't doubt for a
second their honest desire to create actionable advice, but I am very
concerned that the Mobile Top 10 has an obfuscation control written in
by folks who sell obfuscation controls.
Can we please see the research that demonstrates that binary analysis
is one of the top threats to well written mobile code? I use it as a
way to improve my client's apps, and obfuscation just makes my job
harder, not the code safer.
More information about the OWASP-Leaders