[Owasp-leaders] [OWASP ASVS] Obfuscation?

Timur 'x' Khrotko (owasp) timur at owasp.org
Thu Nov 6 21:10:50 UTC 2014


+1

On Thu, Nov 6, 2014 at 9:25 PM, Steven van der Baan <
steven.van.der.baan at owasp.org> wrote:

>  Yvan,
>
> as far as I'm aware there has been no announcement that he should be
> blocked and to be honest I find this question out of place here.
> No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I realise
> that he can be quite a handful, but I firmly believe that this type of
> questions should not be expressed as open and on multiple lists like you
> have done.
>
> Kind regards,
> Steven van der Baan.
>
>
> On 06/11/14 18:11, Yvan Boily wrote:
>
>  Regardless of the content, Christian is supposed to have been blocked
> from participation in OWASP.  Has there been a change here?
>
>  Regards,
> Yvan
>
> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>
>> Sharing FYI:
>>
>>  <clip>
>> Reliance on Hardening, Not Obfuscation
>>
>> Hiding code does not prevent attacks—and it it foolish to assume that it
>> does. Open Source development practices rely on actually hardening (or
>> improving the security of) code by making it available for peers to test
>> and try to break, and then fixing the problems found.
>> </clip?
>>
>>  From:
>>
>>  http://mil-oss.org/learn-more/security-model-misconceptions
>>
>>  Bev
>>
>>
>> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich <
>> christian.heinrich at cmlh.id.au> wrote:
>>
>>> Andrew,
>>>
>>> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>>> <vanderaj at owasp.org> wrote:
>>> > I am ashamed to say when reviewing the ASVS 2.0, I totally missed the
>>> > inclusion of V17.11, which is a Level 3 control for requiring
>>> > obfuscation. Was this included because it was in the Mobile Top 10
>>> > 2014?
>>>
>>> The benefit of obfuscation is that the auditor has to be much higher
>>> skilled than the "middle of the bell curve", who just copy a paste a
>>> report from their SAST product.
>>>
>>> This cost should be absorbed by the client since the auditor is
>>> required to undertaken additional work.
>>>
>>> In addition, obfuscation also minimises the loss of Intellectual
>>> property if the auditor misplaces the source code because the "[wo]man
>>> on the street" isn't going to be able to understand it or know what it
>>> is without some investment.
>>>
>>> I vote not to have obfuscation removed from ASVS, but reworded (in the
>>> next ASVS release) to include the additional clarification from the
>>> next release of the Mobile Top 10.
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>>  _______________________________________________
>>> Owasp-application-security-verification-standard mailing list
>>> Owasp-application-security-verification-standard at lists.owasp.org
>>>
>>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-- 
This message may contain confidential information - you should handle it 
accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141106/694c76d9/attachment-0001.html>


More information about the OWASP-Leaders mailing list