[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10
jim.manico at owasp.org
Tue Nov 4 07:45:48 UTC 2014
The mobile team heatedly debated this a few months back and is seems
that the vast majority of the team, from what I saw, voted to remove it
in the next version.
On 11/4/14 3:07 PM, Andrew van der Stock wrote:
> Hi folks,
> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> Number 10 includes a control that I don't believe is a sound security
> control (security through obfuscation). Coupled with the nature of the
> employers of those who contributed, all of whom have some form of
> obfuscation product, I'm really not comfortable that M10 is a sound
> control or the risk of binary analysis is so high that requires it (no
> other OWASP standard contains it!), and more to the point M10 has a
> strong appearance of conflict of interest.
> I know many of those involved in the project, and don't doubt for a
> second their honest desire to create actionable advice, but I am very
> concerned that the Mobile Top 10 has an obfuscation control written in
> by folks who sell obfuscation controls.
> Can we please see the research that demonstrates that binary analysis
> is one of the top threats to well written mobile code? I use it as a
> way to improve my client's apps, and obfuscation just makes my job
> harder, not the code safer.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders