[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 17:51:15 UTC 2014


Hi Jim,
This was not voted upon or decided to be removed in the next edition.  We
are driving this based on the numbers and using a data-driven approach to
this.

On Mon, Nov 3, 2014 at 11:45 PM, Jim Manico <jim.manico at owasp.org> wrote:

> The mobile team heatedly debated this a few months back and is seems that
> the vast majority of the team, from what I saw, voted to remove it in the
> next version.
>
> Aloha,
> - Jim
>
>
> On 11/4/14 3:07 PM, Andrew van der Stock wrote:
>
>> Hi folks,
>>
>> I've had some feedback on Twitter about the OWASP Mobile Top 10.
>> Number 10 includes a control that I don't believe is a sound security
>> control (security through obfuscation). Coupled with the nature of the
>> employers of those who contributed, all of whom have some form of
>> obfuscation product, I'm really not comfortable that M10 is a sound
>> control or the risk of binary analysis is so high that requires it (no
>> other OWASP standard contains it!), and more to the point M10 has a
>> strong appearance of conflict of interest.
>>
>> I know many of those involved in the project, and don't doubt for a
>> second their honest desire to create actionable advice, but I am very
>> concerned that the Mobile Top 10 has an obfuscation control written in
>> by folks who sell obfuscation controls.
>>
>> Can we please see the research that demonstrates that binary analysis
>> is one of the top threats to well written mobile code? I use it as a
>> way to improve my client's apps, and obfuscation just makes my job
>> harder, not the code safer.
>>
>> thanks
>> Andrew
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/e155fcaa/attachment.html>


More information about the OWASP-Leaders mailing list