<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    True<br>
    <br>
    I personally would have preferred it that, for now, the leaders list
    was not included as there is already too much bickering going on
    there. And as you say, if the board fails to make a decision or is
    unable to enforce the code of ethics, then it would have been just
    to include the leaders list in a 'call to action'. I agree that the
    community deserves more. I can only hope there will be an
    announcement soon to resolve it all.<br>
    <br>
    Kind regards,<br>
    Steven.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 06/11/14 20:57, Yvan Boily wrote:<br>
    </div>
    <blockquote
cite="mid:CAD_ZbKx+oS3c+-=bwGWLMZhwS6YtOU=+wpwkmHRPw2ouK71drQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>It would have been out of line if I had posted this
              line of inquiry back to the individual project threads.  I
              changed the venue for these comments to the leaders list
              and the governance team.  I also added the board to this
              message.<br>
            </div>
            <div><br>
            </div>
            Bottom line, the board has not acted to protect the
            community from someone who has regularly posted abusive
            messages, and has persisted in doing so since the complaint
            was filed.  I don't really care whether his content is
            technically valid, I care about the harm that allowing known
            bad actors to continue to participate at the expense of
            others.<br>
            <br>
          </div>
          I don't know him either, and I am not personally invested in
          the outcome of the decision that the board makes regarding
          Christian; I am personally invested in knowing whether or not
          OWASP is willing to following it's own rules.  If the board is
          failing to enforce the code of ethics, then this is an issue
          for the leaders and the governance team.  OWASP contributors
          deserve better than this.<br>
          <br>
        </div>
        Regards,<br>
        Yvan Boily<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 6, 2014 at 12:25 PM, Steven
          van der Baan <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:steven.van.der.baan@owasp.org"
              target="_blank">steven.van.der.baan@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Yvan,<br>
              <br>
              as far as I'm aware there has been no announcement that he
              should be blocked and to be honest I find this question
              out of place here. <br>
              No, I'm no friend of mr Heinrich. No, I do not know him.
              Yes, I realise that he can be quite a handful, but I
              firmly believe that this type of questions should not be
              expressed as open and on multiple lists like you have
              done.<br>
              <br>
              Kind regards,<br>
              Steven van der Baan.
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 06/11/14 18:11, Yvan Boily wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>Regardless of the content, Christian is
                        supposed to have been blocked from participation
                        in OWASP.  Has there been a change here?<br>
                        <br>
                      </div>
                      Regards,<br>
                      Yvan<br>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Nov 6, 2014 at
                        7:20 AM, Bev Corwin <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:bev.corwin@owasp.org"
                            target="_blank">bev.corwin@owasp.org</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">Sharing FYI:
                            <div><br>
                            </div>
                            <div><clip><br>
                              <h3>Reliance on Hardening, Not Obfuscation</h3>
                              <p>Hiding code does not prevent
                                attacks—and it it foolish to assume that
                                it does. Open Source development
                                practices rely on actually hardening (or
                                improving the security of) code by
                                making it available for peers to test
                                and try to break, and then fixing the
                                problems found.</p>
                              <div></clip?</div>
                              <div><br>
                              </div>
                              <div>From:</div>
                              <div><br>
                              </div>
                              <div><a moz-do-not-send="true"
                                  href="http://mil-oss.org/learn-more/security-model-misconceptions"
                                  target="_blank">http://mil-oss.org/learn-more/security-model-misconceptions</a><br>
                              </div>
                            </div>
                            <div><br>
                            </div>
                            <div>Bev</div>
                            <div><br>
                            </div>
                          </div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Tue, Nov 4, 2014
                              at 8:29 PM, Christian Heinrich <span
                                dir="ltr"><<a moz-do-not-send="true"
href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">Andrew,<br>
                                <span><br>
                                  On Wed, Nov 5, 2014 at 10:22 AM,
                                  Andrew van der Stock<br>
                                  <<a moz-do-not-send="true"
                                    href="mailto:vanderaj@owasp.org"
                                    target="_blank">vanderaj@owasp.org</a>>

                                  wrote:<br>
                                  > I am ashamed to say when
                                  reviewing the ASVS 2.0, I totally
                                  missed the<br>
                                  > inclusion of V17.11, which is a
                                  Level 3 control for requiring<br>
                                  > obfuscation. Was this included
                                  because it was in the Mobile Top 10<br>
                                  > 2014?<br>
                                  <br>
                                </span>The benefit of obfuscation is
                                that the auditor has to be much higher<br>
                                skilled than the "middle of the bell
                                curve", who just copy a paste a<br>
                                report from their SAST product.<br>
                                <br>
                                This cost should be absorbed by the
                                client since the auditor is<br>
                                required to undertaken additional work.<br>
                                <br>
                                In addition, obfuscation also minimises
                                the loss of Intellectual<br>
                                property if the auditor misplaces the
                                source code because the "[wo]man<br>
                                on the street" isn't going to be able to
                                understand it or know what it<br>
                                is without some investment.<br>
                                <br>
                                I vote not to have obfuscation removed
                                from ASVS, but reworded (in the<br>
                                next ASVS release) to include the
                                additional clarification from the<br>
                                next release of the Mobile Top 10.<br>
                                <span><font color="#888888"><br>
                                    <span><font color="#888888"> <br>
                                        --<br>
                                        Regards,<br>
                                        Christian Heinrich<br>
                                        <br>
                                        <a moz-do-not-send="true"
                                          href="http://cmlh.id.au/contact"
                                          target="_blank">http://cmlh.id.au/contact</a><br>
                                      </font></span></font></span><span><font
                                    color="#888888">
                                    <div>
                                      <div>_______________________________________________<br>
                                        Owasp-application-security-verification-standard

                                        mailing list<br>
                                        <a moz-do-not-send="true"
href="mailto:Owasp-application-security-verification-standard@lists.owasp.org"
                                          target="_blank">Owasp-application-security-verification-standard@lists.owasp.org</a><br>
                                        <a moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard"
                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard</a><br>
                                      </div>
                                    </div>
                                  </font></span></blockquote>
                            </div>
                            <br>
                          </div>
                          <br>
_______________________________________________<br>
                          OWASP-Leaders mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org"
                            target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                            target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>