[Owasp-leaders] [OWASP ASVS] Obfuscation?

Yvan Boily yvanboily at gmail.com
Thu Nov 6 18:11:22 UTC 2014


Regardless of the content, Christian is supposed to have been blocked from
participation in OWASP.  Has there been a change here?

Regards,
Yvan

On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org> wrote:

> Sharing FYI:
>
> <clip>
> Reliance on Hardening, Not Obfuscation
>
> Hiding code does not prevent attacks—and it it foolish to assume that it
> does. Open Source development practices rely on actually hardening (or
> improving the security of) code by making it available for peers to test
> and try to break, and then fixing the problems found.
> </clip?
>
> From:
>
> http://mil-oss.org/learn-more/security-model-misconceptions
>
> Bev
>
>
> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich <
> christian.heinrich at cmlh.id.au> wrote:
>
>> Andrew,
>>
>> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>> <vanderaj at owasp.org> wrote:
>> > I am ashamed to say when reviewing the ASVS 2.0, I totally missed the
>> > inclusion of V17.11, which is a Level 3 control for requiring
>> > obfuscation. Was this included because it was in the Mobile Top 10
>> > 2014?
>>
>> The benefit of obfuscation is that the auditor has to be much higher
>> skilled than the "middle of the bell curve", who just copy a paste a
>> report from their SAST product.
>>
>> This cost should be absorbed by the client since the auditor is
>> required to undertaken additional work.
>>
>> In addition, obfuscation also minimises the loss of Intellectual
>> property if the auditor misplaces the source code because the "[wo]man
>> on the street" isn't going to be able to understand it or know what it
>> is without some investment.
>>
>> I vote not to have obfuscation removed from ASVS, but reworded (in the
>> next ASVS release) to include the additional clarification from the
>> next release of the Mobile Top 10.
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>> _______________________________________________
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
>>
>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141106/0f364cdb/attachment.html>


More information about the OWASP-Leaders mailing list