[Owasp-leaders] [OWASP ASVS] Obfuscation?
Steven van der Baan
steven.van.der.baan at owasp.org
Thu Nov 6 20:25:46 UTC 2014
Yvan,
as far as I'm aware there has been no announcement that he should be
blocked and to be honest I find this question out of place here.
No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I realise
that he can be quite a handful, but I firmly believe that this type of
questions should not be expressed as open and on multiple lists like you
have done.
Kind regards,
Steven van der Baan.
On 06/11/14 18:11, Yvan Boily wrote:
> Regardless of the content, Christian is supposed to have been blocked
> from participation in OWASP. Has there been a change here?
>
> Regards,
> Yvan
>
> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org
> <mailto:bev.corwin at owasp.org>> wrote:
>
> Sharing FYI:
>
> <clip>
>
>
> Reliance on Hardening, Not Obfuscation
>
> Hiding code does not prevent attacks—and it it foolish to assume
> that it does. Open Source development practices rely on actually
> hardening (or improving the security of) code by making it
> available for peers to test and try to break, and then fixing the
> problems found.
>
> </clip?
>
> From:
>
> http://mil-oss.org/learn-more/security-model-misconceptions
>
> Bev
>
>
> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich
> <christian.heinrich at cmlh.id.au
> <mailto:christian.heinrich at cmlh.id.au>> wrote:
>
> Andrew,
>
> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
> <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
> > I am ashamed to say when reviewing the ASVS 2.0, I totally
> missed the
> > inclusion of V17.11, which is a Level 3 control for requiring
> > obfuscation. Was this included because it was in the Mobile
> Top 10
> > 2014?
>
> The benefit of obfuscation is that the auditor has to be much
> higher
> skilled than the "middle of the bell curve", who just copy a
> paste a
> report from their SAST product.
>
> This cost should be absorbed by the client since the auditor is
> required to undertaken additional work.
>
> In addition, obfuscation also minimises the loss of Intellectual
> property if the auditor misplaces the source code because the
> "[wo]man
> on the street" isn't going to be able to understand it or know
> what it
> is without some investment.
>
> I vote not to have obfuscation removed from ASVS, but reworded
> (in the
> next ASVS release) to include the additional clarification
> from the
> next release of the Mobile Top 10.
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
> <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141106/12ce6471/attachment.html>
More information about the OWASP-Leaders
mailing list