[Owasp-leaders] [OWASP ASVS] Obfuscation?

Steven van der Baan steven.van.der.baan at owasp.org
Thu Nov 6 20:25:46 UTC 2014


Yvan,

as far as I'm aware there has been no announcement that he should be
blocked and to be honest I find this question out of place here.
No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I realise
that he can be quite a handful, but I firmly believe that this type of
questions should not be expressed as open and on multiple lists like you
have done.

Kind regards,
Steven van der Baan.

On 06/11/14 18:11, Yvan Boily wrote:
> Regardless of the content, Christian is supposed to have been blocked
> from participation in OWASP.  Has there been a change here?
>
> Regards,
> Yvan
>
> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org
> <mailto:bev.corwin at owasp.org>> wrote:
>
>     Sharing FYI:
>
>     <clip>
>
>
>           Reliance on Hardening, Not Obfuscation
>
>     Hiding code does not prevent attacks—and it it foolish to assume
>     that it does. Open Source development practices rely on actually
>     hardening (or improving the security of) code by making it
>     available for peers to test and try to break, and then fixing the
>     problems found.
>
>     </clip?
>
>     From:
>
>     http://mil-oss.org/learn-more/security-model-misconceptions
>
>     Bev
>
>
>     On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich
>     <christian.heinrich at cmlh.id.au
>     <mailto:christian.heinrich at cmlh.id.au>> wrote:
>
>         Andrew,
>
>         On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>         <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>         > I am ashamed to say when reviewing the ASVS 2.0, I totally
>         missed the
>         > inclusion of V17.11, which is a Level 3 control for requiring
>         > obfuscation. Was this included because it was in the Mobile
>         Top 10
>         > 2014?
>
>         The benefit of obfuscation is that the auditor has to be much
>         higher
>         skilled than the "middle of the bell curve", who just copy a
>         paste a
>         report from their SAST product.
>
>         This cost should be absorbed by the client since the auditor is
>         required to undertaken additional work.
>
>         In addition, obfuscation also minimises the loss of Intellectual
>         property if the auditor misplaces the source code because the
>         "[wo]man
>         on the street" isn't going to be able to understand it or know
>         what it
>         is without some investment.
>
>         I vote not to have obfuscation removed from ASVS, but reworded
>         (in the
>         next ASVS release) to include the additional clarification
>         from the
>         next release of the Mobile Top 10.
>
>
>         --
>         Regards,
>         Christian Heinrich
>
>         http://cmlh.id.au/contact
>         _______________________________________________
>         Owasp-application-security-verification-standard mailing list
>         Owasp-application-security-verification-standard at lists.owasp.org
>         <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141106/12ce6471/attachment.html>


More information about the OWASP-Leaders mailing list