[Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 23:26:56 UTC 2014


I believe the ASVS makes references to critical infrastructure apps as
having some form of resistance to reverse engineering and tampering.  All
sorts of independent third-party consultancies also make policy
recommendations to their clients about producing mobile apps that make this
same recommendation.

On Tue, Nov 4, 2014 at 3:18 PM, Andrew van der Stock <vanderaj at owasp.org>
wrote:

> I really should proof the ASVS more closely, as I certainly didn't add
> obfuscation to any of the drafts I was involved in. Maybe when we were
> aligning ourselves with the Mobile Top 10, it crept in there. I will
> ask as I don't think it belongs in the ASVS.
>
> thanks,
> Andrew
>
> On Wed, Nov 5, 2014 at 9:34 AM, Jonathan Carter
> <jonathan.carter at owasp.org> wrote:
> > The ASVS stuff does indeed mention and prescribe trying to prevent
> static /
> > dynamic analysis for sensitive apps (infrastructure; IoT apps; etc).
> There
> > are other OWASP projects out there that make similar references to
> > preventing this stuff: BSIMM and OpenSAMM for example.
> >
> > On Tue, Nov 4, 2014 at 1:32 PM, Andre Gironda <andreg at gmail.com> wrote:
> >>
> >> http://scmagazine.com/riskiq-platform/review/4304/
> >>
> >> This is not just about vendors, but technology choice. A prior work was
> >> presented at OWASP AppSecUSA in 2011 from Ryan W Smith on "STAAF: an
> >> Efficient Distributed Framework for Performing Large-Scale Android
> >> Application Analysis".
> >>
> >> Both the Mobile Top Ten and the ASVS mention binary-obfuscation
> technology
> >> and anti debugging/reversing for mobile apps. Should these mentions be
> >> removed? I want to say no but I am clearly less biased than Jonathan
> Carter.
> >> By the way, I would like to take credit for adding this material to the
> >> MT10. However, I did not add it to ASVS 2.0. Who did that and why?
> >>
> >> dre
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/7e0a19f6/attachment.html>


More information about the OWASP-Leaders mailing list