[Owasp-leaders] [OWASP ASVS] Obfuscation?
Amro
amro at owasp.org
Thu Nov 6 21:30:41 UTC 2014
+1
On 11/7/14 12:25 AM, Steven van der Baan wrote:
> Yvan,
>
> as far as I'm aware there has been no announcement that he should be
> blocked and to be honest I find this question out of place here.
> No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I
> realise that he can be quite a handful, but I firmly believe that this
> type of questions should not be expressed as open and on multiple
> lists like you have done.
>
> Kind regards,
> Steven van der Baan.
>
> On 06/11/14 18:11, Yvan Boily wrote:
>> Regardless of the content, Christian is supposed to have been blocked
>> from participation in OWASP. Has there been a change here?
>>
>> Regards,
>> Yvan
>>
>> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org
>> <mailto:bev.corwin at owasp.org>> wrote:
>>
>> Sharing FYI:
>>
>> <clip>
>>
>>
>> Reliance on Hardening, Not Obfuscation
>>
>> Hiding code does not prevent attacks—and it it foolish to assume
>> that it does. Open Source development practices rely on actually
>> hardening (or improving the security of) code by making it
>> available for peers to test and try to break, and then fixing the
>> problems found.
>>
>> </clip?
>>
>> From:
>>
>> http://mil-oss.org/learn-more/security-model-misconceptions
>>
>> Bev
>>
>>
>> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich
>> <christian.heinrich at cmlh.id.au
>> <mailto:christian.heinrich at cmlh.id.au>> wrote:
>>
>> Andrew,
>>
>> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>> <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>> > I am ashamed to say when reviewing the ASVS 2.0, I totally
>> missed the
>> > inclusion of V17.11, which is a Level 3 control for requiring
>> > obfuscation. Was this included because it was in the Mobile
>> Top 10
>> > 2014?
>>
>> The benefit of obfuscation is that the auditor has to be much
>> higher
>> skilled than the "middle of the bell curve", who just copy a
>> paste a
>> report from their SAST product.
>>
>> This cost should be absorbed by the client since the auditor is
>> required to undertaken additional work.
>>
>> In addition, obfuscation also minimises the loss of Intellectual
>> property if the auditor misplaces the source code because the
>> "[wo]man
>> on the street" isn't going to be able to understand it or
>> know what it
>> is without some investment.
>>
>> I vote not to have obfuscation removed from ASVS, but
>> reworded (in the
>> next ASVS release) to include the additional clarification
>> from the
>> next release of the Mobile Top 10.
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>> _______________________________________________
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
>> <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141107/be09c705/attachment.html>
More information about the OWASP-Leaders
mailing list