<div dir="ltr">+1<div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><div><br></div></div></div></div><div class="gmail_quote">On Thu, Nov 6, 2014 at 9:25 PM, Steven van der Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Yvan,<br>
    <br>
    as far as I'm aware there has been no announcement that he should be
    blocked and to be honest I find this question out of place here. <br>
    No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I
    realise that he can be quite a handful, but I firmly believe that
    this type of questions should not be expressed as open and on
    multiple lists like you have done.<br>
    <br>
    Kind regards,<br>
    Steven van der Baan.<div><div class="h5"><br>
    <br>
    <div>On 06/11/14 18:11, Yvan Boily wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>Regardless of the content, Christian is supposed to have
          been blocked from participation in OWASP.  Has there been a
          change here?<br>
          <br>
        </div>
        Regards,<br>
        Yvan<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 6, 2014 at 7:20 AM, Bev
          Corwin <span dir="ltr"><<a href="mailto:bev.corwin@owasp.org" target="_blank">bev.corwin@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Sharing FYI:
              <div><br>
              </div>
              <div><clip><br>
                <h3>Reliance
                  on Hardening, Not Obfuscation</h3>
                <p>Hiding
                  code does not prevent attacks—and it it foolish to
                  assume that it does. Open Source development practices
                  rely on actually hardening (or improving the security
                  of) code by making it available for peers to test and
                  try to break, and then fixing the problems found.</p>
                <div></clip?</div>
                <div><br>
                </div>
                <div>From:</div>
                <div><br>
                </div>
                <div><a href="http://mil-oss.org/learn-more/security-model-misconceptions" target="_blank">http://mil-oss.org/learn-more/security-model-misconceptions</a><br>
                </div>
              </div>
              <div><br>
              </div>
              <div>Bev</div>
              <div><br>
              </div>
            </div>
            <div class="gmail_extra"><br>
              <div class="gmail_quote">On Tue, Nov 4, 2014 at 8:29 PM,
                Christian Heinrich <span dir="ltr"><<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Andrew,<br>
                  <span><br>
                    On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der
                    Stock<br>
                    <<a href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>>
                    wrote:<br>
                    > I am ashamed to say when reviewing the ASVS
                    2.0, I totally missed the<br>
                    > inclusion of V17.11, which is a Level 3 control
                    for requiring<br>
                    > obfuscation. Was this included because it was
                    in the Mobile Top 10<br>
                    > 2014?<br>
                    <br>
                  </span>The benefit of obfuscation is that the auditor
                  has to be much higher<br>
                  skilled than the "middle of the bell curve", who just
                  copy a paste a<br>
                  report from their SAST product.<br>
                  <br>
                  This cost should be absorbed by the client since the
                  auditor is<br>
                  required to undertaken additional work.<br>
                  <br>
                  In addition, obfuscation also minimises the loss of
                  Intellectual<br>
                  property if the auditor misplaces the source code
                  because the "[wo]man<br>
                  on the street" isn't going to be able to understand it
                  or know what it<br>
                  is without some investment.<br>
                  <br>
                  I vote not to have obfuscation removed from ASVS, but
                  reworded (in the<br>
                  next ASVS release) to include the additional
                  clarification from the<br>
                  next release of the Mobile Top 10.<br>
                  <span><font color="#888888"><br>
                      <span><font color="#888888">
                          <br>
                          --<br>
                          Regards,<br>
                          Christian Heinrich<br>
                          <br>
                          <a href="http://cmlh.id.au/contact" target="_blank">http://cmlh.id.au/contact</a><br>
                        </font></span></font></span><span><font color="#888888">
                      <div>
                        <div>_______________________________________________<br>
                          Owasp-application-security-verification-standard
                          mailing list<br>
                          <a href="mailto:Owasp-application-security-verification-standard@lists.owasp.org" target="_blank">Owasp-application-security-verification-standard@lists.owasp.org</a><br>
                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard</a><br>
                        </div>
                      </div>
                    </font></span></blockquote>
              </div>
              <br>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div></div>

<br>
<div><span style="color:rgb(102,204,204);font-family:'times new roman',serif;font-size:x-small;background-color:rgb(255,255,255)">This message may contain confidential information - you should handle it accordingly.</span></div>