[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jim Manico jim.manico at owasp.org
Tue Nov 4 07:45:48 UTC 2014


The mobile team heatedly debated this a few months back and is seems 
that the vast majority of the team, from what I saw, voted to remove it 
in the next version.

Aloha,
- Jim

On 11/4/14 3:07 PM, Andrew van der Stock wrote:
> Hi folks,
>
> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> Number 10 includes a control that I don't believe is a sound security
> control (security through obfuscation). Coupled with the nature of the
> employers of those who contributed, all of whom have some form of
> obfuscation product, I'm really not comfortable that M10 is a sound
> control or the risk of binary analysis is so high that requires it (no
> other OWASP standard contains it!), and more to the point M10 has a
> strong appearance of conflict of interest.
>
> I know many of those involved in the project, and don't doubt for a
> second their honest desire to create actionable advice, but I am very
> concerned that the Mobile Top 10 has an obfuscation control written in
> by folks who sell obfuscation controls.
>
> Can we please see the research that demonstrates that binary analysis
> is one of the top threats to well written mobile code? I use it as a
> way to improve my client's apps, and obfuscation just makes my job
> harder, not the code safer.
>
> thanks
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list