<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">+1<br>
      <br>
      On 11/7/14 12:25 AM, Steven van der Baan wrote:<br>
    </div>
    <blockquote cite="mid:545BD94A.9050509@owasp.org" type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      Yvan,<br>
      <br>
      as far as I'm aware there has been no announcement that he should
      be blocked and to be honest I find this question out of place
      here. <br>
      No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I
      realise that he can be quite a handful, but I firmly believe that
      this type of questions should not be expressed as open and on
      multiple lists like you have done.<br>
      <br>
      Kind regards,<br>
      Steven van der Baan.<br>
      <br>
      <div class="moz-cite-prefix">On 06/11/14 18:11, Yvan Boily wrote:<br>
      </div>
      <blockquote
cite="mid:CAD_ZbKygU6SR6iw9+wN+_0suWz_7VdM3ZCfSok3QDJwCEMcsWA@mail.gmail.com"
        type="cite">
        <div dir="ltr">
          <div>Regardless of the content, Christian is supposed to have
            been blocked from participation in OWASP.  Has there been a
            change here?<br>
            <br>
          </div>
          Regards,<br>
          Yvan<br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Thu, Nov 6, 2014 at 7:20 AM, Bev
            Corwin <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:bev.corwin@owasp.org" target="_blank">bev.corwin@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">Sharing FYI:
                <div><br>
                </div>
                <div><clip><br>
                  <h3 style="margin:15px 0px
10px;padding:0px;font-weight:normal;font-size:18px;line-height:18px;font-family:'TrebuchetMS',Verdana,Arial,sans-serif;color:rgb(89,90,89);background-color:rgb(238,239,240)">Reliance

                    on Hardening, Not Obfuscation</h3>
                  <p style="margin:10px 0px
                    15px;padding:0px;color:rgb(133,133,134);font-family:'Trebuchet
MS',Verdana,Arial,sans-serif;font-size:13px;line-height:19.5px;background-color:rgb(238,239,240)">Hiding

                    code does not prevent attacks—and it it foolish to
                    assume that it does. Open Source development
                    practices rely on actually hardening (or improving
                    the security of) code by making it available for
                    peers to test and try to break, and then fixing the
                    problems found.</p>
                  <div></clip?</div>
                  <div><br>
                  </div>
                  <div>From:</div>
                  <div><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="http://mil-oss.org/learn-more/security-model-misconceptions"
                      target="_blank">http://mil-oss.org/learn-more/security-model-misconceptions</a><br>
                  </div>
                </div>
                <div><br>
                </div>
                <div>Bev</div>
                <div><br>
                </div>
              </div>
              <div class="gmail_extra"><br>
                <div class="gmail_quote">On Tue, Nov 4, 2014 at 8:29 PM,
                  Christian Heinrich <span dir="ltr"><<a
                      moz-do-not-send="true"
                      href="mailto:christian.heinrich@cmlh.id.au"
                      target="_blank">christian.heinrich@cmlh.id.au</a>></span>
                  wrote:<br>
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">Andrew,<br>
                    <span><br>
                      On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der
                      Stock<br>
                      <<a moz-do-not-send="true"
                        href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>>

                      wrote:<br>
                      > I am ashamed to say when reviewing the ASVS
                      2.0, I totally missed the<br>
                      > inclusion of V17.11, which is a Level 3
                      control for requiring<br>
                      > obfuscation. Was this included because it was
                      in the Mobile Top 10<br>
                      > 2014?<br>
                      <br>
                    </span>The benefit of obfuscation is that the
                    auditor has to be much higher<br>
                    skilled than the "middle of the bell curve", who
                    just copy a paste a<br>
                    report from their SAST product.<br>
                    <br>
                    This cost should be absorbed by the client since the
                    auditor is<br>
                    required to undertaken additional work.<br>
                    <br>
                    In addition, obfuscation also minimises the loss of
                    Intellectual<br>
                    property if the auditor misplaces the source code
                    because the "[wo]man<br>
                    on the street" isn't going to be able to understand
                    it or know what it<br>
                    is without some investment.<br>
                    <br>
                    I vote not to have obfuscation removed from ASVS,
                    but reworded (in the<br>
                    next ASVS release) to include the additional
                    clarification from the<br>
                    next release of the Mobile Top 10.<br>
                    <span><font color="#888888"><br>
                        <span class="HOEnZb"><font color="#888888"> <br>
                            --<br>
                            Regards,<br>
                            Christian Heinrich<br>
                            <br>
                            <a moz-do-not-send="true"
                              href="http://cmlh.id.au/contact"
                              target="_blank">http://cmlh.id.au/contact</a><br>
                          </font></span></font></span><span
                      class="HOEnZb"><font color="#888888">
                        <div>
                          <div>_______________________________________________<br>
                            Owasp-application-security-verification-standard

                            mailing list<br>
                            <a moz-do-not-send="true"
href="mailto:Owasp-application-security-verification-standard@lists.owasp.org"
                              target="_blank">Owasp-application-security-verification-standard@lists.owasp.org</a><br>
                            <a moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard"
                              target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard</a><br>
                          </div>
                        </div>
                      </font></span></blockquote>
                </div>
                <br>
              </div>
              <br>
              _______________________________________________<br>
              OWASP-Leaders mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
              <a moz-do-not-send="true"
                href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
              <br>
            </blockquote>
          </div>
          <br>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>