[Owasp-leaders] [OWASP ASVS] Obfuscation?

Josh Sokol josh.sokol at owasp.org
Fri Nov 7 20:51:23 UTC 2014


My apologies Matt.  I was participating remotely and definitely was having
a difficult time hearing at times.  It is entirely possible that I misheard
you.  It's ironically a bit like the code obfuscation topic that started
all of this.  While I agree that banning an e-mail address is probably not
a foolproof solution to the problem at hand (just like code obfuscation),
it is at least some part of a defense-in-depth solution to raise the LOE
involved to exploit.  I am unable to find the notes or recording from that
meeting where we discussed it and Michael (who I think may have it) is out
on honeymoon, but once we have it, I think we need to re-review the
resulting decision and the controls that we will put in place to enforce
the decision.

Regarding Yvan's proposed policy of notification of the complainant, I'm
honestly not sure and would need to take this up to the rest of the Board.
I certainly see why you would want this, and could mostly get behind
notifying the complainant, but the community notification part we need to
tread lightly.  Specifically because our ethics policy states that we
shouldn't injure or impugn the reputation of others and this type of action
has been construed as such in the past.  Not saying that we shouldn't do
it, just that we should be very careful if we do.

~josh

On Thu, Nov 6, 2014 at 10:04 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Yvan is 100% correct with:
> [snip]
> The technical enforcement aspect is only one part of it.  Technical
> measures to curtail participation are a rathole, especially for security
> folks since many of us have "figure out how to bypass controls" as part of
> our of our professional repertoire.
> [snip]
>
> Any attempt to ban someone from the OWASP lists with a technical measure
> such as rejecting an address at the email gateway or banning an address
> from posting to Mailman would be trivial to bypass.
>
> It would be like bringing a dull knife to a gun fight.
>
> Josh:  Perhaps you misheard me since you were remote for the board meeting
> in Denver/September - that's the only board meeting I've attended in quite
> some time.  If I said anything like that - or was asked, it would be to say
> its technically possible to implement but absolutely useless as an
> effective measure to stop someone determined to post to a one of our public
> lists.
>
> [snip] Not sure where the ball was dropped there [snip]
>
> Honestly, I don't think the ball was ever in the air to begin with.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141107/780fd738/attachment-0001.html>


More information about the OWASP-Leaders mailing list