[Owasp-leaders] [OWASP ASVS] Obfuscation?

Steven van der Baan steven.van.der.baan at owasp.org
Thu Nov 6 21:12:22 UTC 2014


I personally would have preferred it that, for now, the leaders list was
not included as there is already too much bickering going on there. And
as you say, if the board fails to make a decision or is unable to
enforce the code of ethics, then it would have been just to include the
leaders list in a 'call to action'. I agree that the community deserves
more. I can only hope there will be an announcement soon to resolve it all.

Kind regards,

On 06/11/14 20:57, Yvan Boily wrote:
> It would have been out of line if I had posted this line of inquiry
> back to the individual project threads.  I changed the venue for these
> comments to the leaders list and the governance team.  I also added
> the board to this message.
> Bottom line, the board has not acted to protect the community from
> someone who has regularly posted abusive messages, and has persisted
> in doing so since the complaint was filed.  I don't really care
> whether his content is technically valid, I care about the harm that
> allowing known bad actors to continue to participate at the expense of
> others.
> I don't know him either, and I am not personally invested in the
> outcome of the decision that the board makes regarding Christian; I am
> personally invested in knowing whether or not OWASP is willing to
> following it's own rules.  If the board is failing to enforce the code
> of ethics, then this is an issue for the leaders and the governance
> team.  OWASP contributors deserve better than this.
> Regards,
> Yvan Boily
> On Thu, Nov 6, 2014 at 12:25 PM, Steven van der Baan
> <steven.van.der.baan at owasp.org <mailto:steven.van.der.baan at owasp.org>>
> wrote:
>     Yvan,
>     as far as I'm aware there has been no announcement that he should
>     be blocked and to be honest I find this question out of place here.
>     No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I
>     realise that he can be quite a handful, but I firmly believe that
>     this type of questions should not be expressed as open and on
>     multiple lists like you have done.
>     Kind regards,
>     Steven van der Baan.
>     On 06/11/14 18:11, Yvan Boily wrote:
>>     Regardless of the content, Christian is supposed to have been
>>     blocked from participation in OWASP.  Has there been a change here?
>>     Regards,
>>     Yvan
>>     On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org
>>     <mailto:bev.corwin at owasp.org>> wrote:
>>         Sharing FYI:
>>         <clip>
>>               Reliance on Hardening, Not Obfuscation
>>         Hiding code does not prevent attacks—and it it foolish to
>>         assume that it does. Open Source development practices rely
>>         on actually hardening (or improving the security of) code by
>>         making it available for peers to test and try to break, and
>>         then fixing the problems found.
>>         </clip?
>>         From:
>>         http://mil-oss.org/learn-more/security-model-misconceptions
>>         Bev
>>         On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich
>>         <christian.heinrich at cmlh.id.au
>>         <mailto:christian.heinrich at cmlh.id.au>> wrote:
>>             Andrew,
>>             On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>>             <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>>             > I am ashamed to say when reviewing the ASVS 2.0, I
>>             totally missed the
>>             > inclusion of V17.11, which is a Level 3 control for
>>             requiring
>>             > obfuscation. Was this included because it was in the
>>             Mobile Top 10
>>             > 2014?
>>             The benefit of obfuscation is that the auditor has to be
>>             much higher
>>             skilled than the "middle of the bell curve", who just
>>             copy a paste a
>>             report from their SAST product.
>>             This cost should be absorbed by the client since the
>>             auditor is
>>             required to undertaken additional work.
>>             In addition, obfuscation also minimises the loss of
>>             Intellectual
>>             property if the auditor misplaces the source code because
>>             the "[wo]man
>>             on the street" isn't going to be able to understand it or
>>             know what it
>>             is without some investment.
>>             I vote not to have obfuscation removed from ASVS, but
>>             reworded (in the
>>             next ASVS release) to include the additional
>>             clarification from the
>>             next release of the Mobile Top 10.
>>             --
>>             Regards,
>>             Christian Heinrich
>>             http://cmlh.id.au/contact
>>             _______________________________________________
>>             Owasp-application-security-verification-standard mailing list
>>             Owasp-application-security-verification-standard at lists.owasp.org
>>             <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141106/7bfa887c/attachment.html>

More information about the OWASP-Leaders mailing list