[Owasp-leaders] [OWASP ASVS] Obfuscation?
yvanboily at gmail.com
Thu Nov 6 18:11:22 UTC 2014
Regardless of the content, Christian is supposed to have been blocked from
participation in OWASP. Has there been a change here?
On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
> Sharing FYI:
> Reliance on Hardening, Not Obfuscation
> Hiding code does not prevent attacks—and it it foolish to assume that it
> does. Open Source development practices rely on actually hardening (or
> improving the security of) code by making it available for peers to test
> and try to break, and then fixing the problems found.
> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich <
> christian.heinrich at cmlh.id.au> wrote:
>> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>> <vanderaj at owasp.org> wrote:
>> > I am ashamed to say when reviewing the ASVS 2.0, I totally missed the
>> > inclusion of V17.11, which is a Level 3 control for requiring
>> > obfuscation. Was this included because it was in the Mobile Top 10
>> > 2014?
>> The benefit of obfuscation is that the auditor has to be much higher
>> skilled than the "middle of the bell curve", who just copy a paste a
>> report from their SAST product.
>> This cost should be absorbed by the client since the auditor is
>> required to undertaken additional work.
>> In addition, obfuscation also minimises the loss of Intellectual
>> property if the auditor misplaces the source code because the "[wo]man
>> on the street" isn't going to be able to understand it or know what it
>> is without some investment.
>> I vote not to have obfuscation removed from ASVS, but reworded (in the
>> next ASVS release) to include the additional clarification from the
>> next release of the Mobile Top 10.
>> Christian Heinrich
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders