[Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints

Andrew van der Stock vanderaj at owasp.org
Tue Nov 4 23:18:18 UTC 2014


I really should proof the ASVS more closely, as I certainly didn't add
obfuscation to any of the drafts I was involved in. Maybe when we were
aligning ourselves with the Mobile Top 10, it crept in there. I will
ask as I don't think it belongs in the ASVS.

thanks,
Andrew

On Wed, Nov 5, 2014 at 9:34 AM, Jonathan Carter
<jonathan.carter at owasp.org> wrote:
> The ASVS stuff does indeed mention and prescribe trying to prevent static /
> dynamic analysis for sensitive apps (infrastructure; IoT apps; etc).  There
> are other OWASP projects out there that make similar references to
> preventing this stuff: BSIMM and OpenSAMM for example.
>
> On Tue, Nov 4, 2014 at 1:32 PM, Andre Gironda <andreg at gmail.com> wrote:
>>
>> http://scmagazine.com/riskiq-platform/review/4304/
>>
>> This is not just about vendors, but technology choice. A prior work was
>> presented at OWASP AppSecUSA in 2011 from Ryan W Smith on "STAAF: an
>> Efficient Distributed Framework for Performing Large-Scale Android
>> Application Analysis".
>>
>> Both the Mobile Top Ten and the ASVS mention binary-obfuscation technology
>> and anti debugging/reversing for mobile apps. Should these mentions be
>> removed? I want to say no but I am clearly less biased than Jonathan Carter.
>> By the way, I would like to take credit for adding this material to the
>> MT10. However, I did not add it to ASVS 2.0. Who did that and why?
>>
>> dre
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list