[Owasp-leaders] [OWASP ASVS] Obfuscation?

Amro amro at owasp.org
Thu Nov 6 21:30:41 UTC 2014


+1

On 11/7/14 12:25 AM, Steven van der Baan wrote:
> Yvan,
>
> as far as I'm aware there has been no announcement that he should be 
> blocked and to be honest I find this question out of place here.
> No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I 
> realise that he can be quite a handful, but I firmly believe that this 
> type of questions should not be expressed as open and on multiple 
> lists like you have done.
>
> Kind regards,
> Steven van der Baan.
>
> On 06/11/14 18:11, Yvan Boily wrote:
>> Regardless of the content, Christian is supposed to have been blocked 
>> from participation in OWASP.  Has there been a change here?
>>
>> Regards,
>> Yvan
>>
>> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org 
>> <mailto:bev.corwin at owasp.org>> wrote:
>>
>>     Sharing FYI:
>>
>>     <clip>
>>
>>
>>           Reliance on Hardening, Not Obfuscation
>>
>>     Hiding code does not prevent attacks—and it it foolish to assume
>>     that it does. Open Source development practices rely on actually
>>     hardening (or improving the security of) code by making it
>>     available for peers to test and try to break, and then fixing the
>>     problems found.
>>
>>     </clip?
>>
>>     From:
>>
>>     http://mil-oss.org/learn-more/security-model-misconceptions
>>
>>     Bev
>>
>>
>>     On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich
>>     <christian.heinrich at cmlh.id.au
>>     <mailto:christian.heinrich at cmlh.id.au>> wrote:
>>
>>         Andrew,
>>
>>         On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>>         <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>>         > I am ashamed to say when reviewing the ASVS 2.0, I totally
>>         missed the
>>         > inclusion of V17.11, which is a Level 3 control for requiring
>>         > obfuscation. Was this included because it was in the Mobile
>>         Top 10
>>         > 2014?
>>
>>         The benefit of obfuscation is that the auditor has to be much
>>         higher
>>         skilled than the "middle of the bell curve", who just copy a
>>         paste a
>>         report from their SAST product.
>>
>>         This cost should be absorbed by the client since the auditor is
>>         required to undertaken additional work.
>>
>>         In addition, obfuscation also minimises the loss of Intellectual
>>         property if the auditor misplaces the source code because the
>>         "[wo]man
>>         on the street" isn't going to be able to understand it or
>>         know what it
>>         is without some investment.
>>
>>         I vote not to have obfuscation removed from ASVS, but
>>         reworded (in the
>>         next ASVS release) to include the additional clarification
>>         from the
>>         next release of the Mobile Top 10.
>>
>>
>>         --
>>         Regards,
>>         Christian Heinrich
>>
>>         http://cmlh.id.au/contact
>>         _______________________________________________
>>         Owasp-application-security-verification-standard mailing list
>>         Owasp-application-security-verification-standard at lists.owasp.org
>>         <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141107/be09c705/attachment.html>


More information about the OWASP-Leaders mailing list