[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10
jonathan.carter at owasp.org
Tue Nov 4 17:51:15 UTC 2014
This was not voted upon or decided to be removed in the next edition. We
are driving this based on the numbers and using a data-driven approach to
On Mon, Nov 3, 2014 at 11:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
> The mobile team heatedly debated this a few months back and is seems that
> the vast majority of the team, from what I saw, voted to remove it in the
> next version.
> - Jim
> On 11/4/14 3:07 PM, Andrew van der Stock wrote:
>> Hi folks,
>> I've had some feedback on Twitter about the OWASP Mobile Top 10.
>> Number 10 includes a control that I don't believe is a sound security
>> control (security through obfuscation). Coupled with the nature of the
>> employers of those who contributed, all of whom have some form of
>> obfuscation product, I'm really not comfortable that M10 is a sound
>> control or the risk of binary analysis is so high that requires it (no
>> other OWASP standard contains it!), and more to the point M10 has a
>> strong appearance of conflict of interest.
>> I know many of those involved in the project, and don't doubt for a
>> second their honest desire to create actionable advice, but I am very
>> concerned that the Mobile Top 10 has an obfuscation control written in
>> by folks who sell obfuscation controls.
>> Can we please see the research that demonstrates that binary analysis
>> is one of the top threats to well written mobile code? I use it as a
>> way to improve my client's apps, and obfuscation just makes my job
>> harder, not the code safer.
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders