wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsVote on making WAFEC a WASC/OWASP project
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):
-
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
-
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers. The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).
-
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
-
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
-
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
-
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com , www.shezaf.com]
Hi Ofer,
my vote is yes: join WASC and OWASP for WAFEC.
According your description, I'll have some questions for clarification, please
see inline below.
Cheers
Achim
Am 12.11.2012 11:17, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):
-
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
-
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers.
What does this mean: "decision about the project which is not within the project team"
Could you please give an example.
I.g. OWASP GPC only gives the "go" for a project, that's it.
If a project gets abandoned, it will be marked so.
The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).
Does this mean that the (OWASP) project leader does not/must not participate in
writing the document?
@Jeremiah, I can imagine your objections due to other (probably;-) biased projects,
but a bit a description of what the leader should and should not do would be nice.
-
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
-
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
-
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
-
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Hi,
my vote is as well yes: join WASC and OWASP for WAFEC.
Cheers
Julian Totzek-Hallhuber
Pre Sales Team Leader
Direct: +49 6124 70 25 50 2
Mobile : +49 160 97 28 50 04
jtotzek@denyall.commailto:jtotzek@denyall.com
Am 12.11.2012 um 11:17 schrieb Ofer Shezaf <ofer@shezaf.commailto:ofer@shezaf.com>
:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
• The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria".
• Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder).
• Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
• Making it happen – we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people.
• Outreach – people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences.
• Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.commailto:ofer@shezaf.com, www.shezaf.comhttp://www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Hi All,****
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.****
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):****
· The name, when affiliation is used, would be "The
WASC/OWASP Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed upon
by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The
project leader is the arbitrator in case of a conflict (this change is
based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)****
Now for my voting pitch:****
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:****
Why?****
· Making it happen – we need more people. I now have two
chapter assigned and many are still waiting. Joining hands with OWASP will
make joining the project appealing to many more people.
· Outreach – people in the application security community
have heard about OWASP, and joining hands with OWASP would enable
leveraging this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors'
organization" and the list of participants in WAFEC certainly proves that.
Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.****
I must say I think it would be hard for me to complete the project
successfully otherwise. ****
~ Ofer****
Ofer Shezaf****
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]****
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people.
· Outreach – people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Yes.
--
Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>
I vote YES.
From: Ofer Shezaf ofer@shezaf.com
Date: Monday, November 12, 2012 5:17 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from the
group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the OWASP
GPC (i.e. Project Committee) and by the WASC officers. The project leader is
the arbitrator in case of a conflict (this change is based on a request by
Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an OWASP or
a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would
go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
· Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for the
project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
_______________________________________________ wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
I think that Jeremiah comment was about conflict between WASC and OWASP and not between team members, we are too many to assume a vote would end in a draw (and too few writers to allow me not to write anything).
This of course brings us back to the governance questions in the 1st place: when would a WASC officers and a GPC decision needed. As usual such clauses are there to avoid unintended results even if not foreseen now. Setting general guidelines for projects at OWASP or WASC would be a good example. A recent (and not very critical) example was a suggestion to have all projects move to a common source repository made several weeks ago. The common governance rules means that WAFEC would not have to follow that new guideline.
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Monday, November 12, 2012 12:51 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi Ofer,
my vote is yes: join WASC and OWASP for WAFEC.
According your description, I'll have some questions for clarification, please see inline below.
Cheers
Achim
Am 12.11.2012 11:17, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
-
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
-
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by
the OWASP GPC (i.e. Project Committee) and by the WASC officers.
What does this mean: "decision about the project which is not within the project team"
Could you please give an example.
I.g. OWASP GPC only gives the "go" for a project, that's it.
If a project gets abandoned, it will be marked so.
The project
leader is the arbitrator in case of a conflict (this change is based
on a request by Jeremiah Grossman, WASC founder).
Does this mean that the (OWASP) project leader does not/must not participate in writing the document?
@Jeremiah, I can imagine your objections due to other (probably;-) biased projects, but a bit a description of what the leader should and should not do would be nice.
-
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that
is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously.
I would go a step further it is needed to ensure we actually succeed:
Why?
-
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will
make joining the project appealing to many more people.
-
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this
to reach more people. This includes chapters outreach (from Khartoum,
The Sudan to Omaha, Nebraska) as well as an official room in local and
global conferences.
-
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer,
I have been able to address some but not all of your e-mail and I will
attempt to complete the reply over this weekend i.e. before 19
November.
Below is what I can address right at this moment:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· Participation is open for all and does not require being an OWASP
or a WASC member.
Will I be able to present WAFEC at OWASP Conferences and Chapters?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
I believe the vote should be weighted somehow based on people
allegiance to OWASP and/or WASC otherwise the vote could be perceived
as bias?
--
Regards,
Christian Heinrich
With regards to most of your comments: I am not going to change the voting
agenda and process now.
With regard to presenting WAFEC in OWASP events, I think this is an
important comment and my answer is that as a WAFEC project member you should
be able to and I will make sure this is known. I need to say I don't think
you are limited from presenting in OWASP meetings today - presentation is
not limited to OWASP members.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Monday, November 12, 2012 10:56 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Ofer,
I have been able to address some but not all of your e-mail and I will
attempt to complete the reply over this weekend i.e. before 19 November.
Below is what I can address right at this moment:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of WASC,
since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete project
ownership to OWASP i.e. "The OWASP Web Application Firewall Evaluation
Criteria" otherwise this (false) perception would remain?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. Participation is open for all and does not require being an
OWASP
or a WASC member.
Will I be able to present WAFEC at OWASP Conferences and Chapters?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that
is UTC-11, time zone)
I believe the vote should be weighted somehow based on people allegiance to
OWASP and/or WASC otherwise the vote could be perceived as bias?
--
Regards,
Christian Heinrich
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please let
me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Ofer,
On Tue, Nov 13, 2012 at 8:13 AM, Ofer Shezaf ofer@shezaf.com wrote:
With regard to presenting WAFEC in OWASP events, I think this is an
important comment and my answer is that as a WAFEC project member you should
be able to and I will make sure this is known. I need to say I don't think
you are limited from presenting in OWASP meetings today - presentation is
not limited to OWASP members.
Yes I am and this restriction was made up by the OWASP Board within
http://lists.owasp.org/pipermail/owasp-leaders/2012-February/006813.html
i.e. "disqualification from CFT/CFP for Global or Regional AppSec
events" (I'd assume this extends to Chapter events) and upheld when I
my presentation on BSIMM was accepted for
https://www.owasp.org/index.php/AppSecAsiaPac2012.
--
Regards,
Christian Heinrich
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please let
me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is. Despite this, WASC projects have a very high adoption rate in the industry by nature of the way the organization do things. This speaks to deliverable quality, and to me, this is what ultimately matters the most. This is what I wish for this project. When this many of the right kind of experts are brought together under a highly collaborative and peer reviewed environment, you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free choose to contribute their time whenever and wherever they choose. Having said that, this is a project that "WASC" has voted to create and something it's committed to keeping under it's label. While it's never been done before, there is nothing technically preventing a collaborative project with OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=
Yes
Ido Breger
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Ofer Shezaf
Sent: Monday, November 12, 2012 12:18 PM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
-
The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria". -
Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder). -
Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
-
Making it happen - we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people. -
Outreach - people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences. -
Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.commailto:ofer@shezaf.com, www.shezaf.comhttp://www.shezaf.com]
Ofer,
On Tue, Nov 13, 2012 at 5:19 PM, Ofer Shezaf ofer@shezaf.com wrote:
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
In the context of the above (project name) item then no I don't have
reservations about OWASP based on the reasons stated in your proposal
hence my recommendation to remove WASC from the name of the (WAFEC)
project.
However, if WASC would like to a) remove the vendor perception and b)
promote it to the wider community then this could be (better) achieved
by with end users (not vendors) presenting WAFEC at OWASP Chapters and
Conferences.
--
Regards,
Christian Heinrich
Presenting WAFEC by someone who does not represent a vendor makes a lot of
sense. I would like to point that there is no "WASC wants". WASC and WAFEC
are ours to make. WAFEC will be presented and promoted in conferences,
meetings, blogs etc if any of us as individuals select to do so. I will, you
can, and everyone else is also more than welcomed to.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Tuesday, November 13, 2012 9:49 AM
To: Ofer Shezaf
Cc: Jeremiah Grossman; Robert A.; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Ofer,
On Tue, Nov 13, 2012 at 5:19 PM, Ofer Shezaf ofer@shezaf.com wrote:
For better or worse I would not give Christian suggestion to keep only
OWASP in the name a lot of weight (sorry Christian). It is not a
general opinion but a single voice. As Christian has reservations
about OWASP and hence a joined project , I would take it is away to
convey his (valid) opinion about the initiative.
In the context of the above (project name) item then no I don't have
reservations about OWASP based on the reasons stated in your proposal hence
my recommendation to remove WASC from the name of the (WAFEC) project.
However, if WASC would like to a) remove the vendor perception and b)
promote it to the wider community then this could be (better) achieved by
with end users (not vendors) presenting WAFEC at OWASP Chapters and
Conferences.
--
Regards,
Christian Heinrich
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent
and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
Achim
-------- Original-Nachricht --------
Betreff: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Datum: Tue, 13 Nov 2012 10:10:00 +0200
..
Kopie (CC): wasc-wafec@lists.webappsec.org, wasc-members@webappsec.org
Presenting WAFEC by someone who does not represent a vendor makes a lot of
sense. I would like to point that there is no "WASC wants". WASC and WAFEC
are ours to make. WAFEC will be presented and promoted in conferences,
meetings, blogs etc if any of us as individuals select to do so. I will, you
can, and everyone else is also more than welcomed to.
I agree. This issue, if indeed it even is an issue, is part of a larger discussion about WASC and beyond WAFEC. I'm happy to share my opinion on the matter here.
WASC started as a group of people that had a vested interested in solving a particular problem in the industry, at the time, a nomenclature issue. Consumers were confused by the differing jargon between "us vendors." Again, at the time. So we got together to solve that problem problem in the shape of the Threat Classification. During the process of v1 and v2 of the project, of course no one… including non-vendors, were excluded from participating. What was most important was that the best experts in the world participated, who yes also happened to work for vendors, collectively created something really good that could be quickly adopted. And, it worked.
WAFEC is essentially identical in this regard. That to me, is what WASC does. Each project operates extremely independently, with only the bare minimum of necessary oversight from the Officers.
So, while their may or may not be a vendor stigma associated to WASC, it hasn't prevent us from bringing together enough of the right kind people with a vested interest in solving a problem. As is demonstrated here inside WAFEC. It hasn't prevented the creation and adoption of its projects. Perhaps the issue has prevented us from being successful in other ways, but not in the ways we valued most as an organization. WASC fills a very particular niche.
Simply the opinion of 1 WASC officer...
On Nov 12, 2012, at 10:19 PM, Ofer Shezaf wrote:
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=
I fully agree with Jeremiah (as I remember the work on TCv1:)
For WAFEC we need the vendors as they can provide the most detailled information
on some technical things which needs to be described correctly.
So far the concerns about "vendor biased comments" have been discussed on this list
and there is (at least seems to be) an agreement that very vendor-specific items
and not directly WAF-related items are put together in an Appendix (see mails from
Ofer and Christian).
Just my 2 pence ...
Achim
Am 13.11.2012 15:28, schrieb Jeremiah Grossman:
I agree. This issue, if indeed it even is an issue, is part of a larger discussion about WASC and beyond WAFEC. I'm happy to share my opinion on the matter here.
WASC started as a group of people that had a vested interested in solving a particular problem in the industry, at the time, a nomenclature issue. Consumers were confused by the differing jargon between "us vendors." Again, at the time. So we got together to solve that problem problem in the shape of the Threat Classification. During the process of v1 and v2 of the project, of course no one… including non-vendors, were excluded from participating. What was most important was that the best experts in the world participated, who yes also happened to work for vendors, collectively created something really good that could be quickly adopted. And, it worked.
WAFEC is essentially identical in this regard. That to me, is what WASC does. Each project operates extremely independently, with only the bare minimum of necessary oversight from the Officers.
So, while their may or may not be a vendor stigma associated to WASC, it hasn't prevent us from bringing together enough of the right kind people with a vested interest in solving a problem. As is demonstrated here inside WAFEC. It hasn't prevented the creation and adoption of its projects. Perhaps the issue has prevented us from being successful in other ways, but not in the ways we valued most as an organization. WASC fills a very particular niche.
Simply the opinion of 1 WASC officer...
On Nov 12, 2012, at 10:19 PM, Ofer Shezaf wrote:
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=
again here's my yes (whatever the child's name is gonna be)
Dirk
Am 11/12/2012 11:17 AM, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP
Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed
upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers.
The project leader is the arbitrator in case of a conflict (this change
is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19^th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach – people in the application security community have
heard about OWASP, and joining hands with OWASP would enable leveraging
this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization"
and the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
A yes is reasonable wether there are pros and cons.
Thorsten Wujek
Von meinem iPad gesendet
Kleines Gerät, kleine Mails.
Tiny device, tiny mails.
Am 13.11.2012 um 18:20 schrieb "Dirk Wetter" spam@drwetter.org:
again here's my yes (whatever the child's name is gonna be)
Dirk
Am 11/12/2012 11:17 AM, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP
Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed
upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers.
The project leader is the arbitrator in case of a conflict (this change
is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19^th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach – people in the application security community have
heard about OWASP, and joining hands with OWASP would enable leveraging
this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization"
and the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Achim,
I would support speaking at this event provided we are not scheduled
during the break between the break and the evening social event again
i.e. http://www.appsecresearch.org/wafec-workshop-at-owasp-appsec-research-in-athens/
which your e-mail suggests would not be the case.
Based on https://lists.owasp.org/pipermail/global_conference_committee/2011-March/001122.html
I would expect that flights and accommodation for each presenter would
be paid for by OWASP and that the profit for delivering training would
be paid to WASC?
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent
and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
--
Regards,
Christian Heinrich
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Tuesday, November 13, 2012 2:45 PM
To: wasc-wafec@lists.webappsec.org
Cc: 'Christian Heinrich'; Ofer Shezaf
Subject: WASC/OWASP Web,Application Firewall Evaluation Criteria at AppSec EU2013
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
Achim
-------- Original-Nachricht --------
Betreff: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Datum: Tue, 13 Nov 2012 10:10:00 +0200
..
Kopie (CC): wasc-wafec@lists.webappsec.org, wasc-members@webappsec.org
Presenting WAFEC by someone who does not represent a vendor makes a lot of sense. I would like to point that there is no "WASC wants". WASC and WAFEC are ours to make. WAFEC will be presented and promoted in conferences, meetings, blogs etc if any of us as individuals select to do so. I will, you can, and everyone else is also more than welcomed to.
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
--
Regards,
Christian Heinrich
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess
I see it as a separate thing not directly associated/promoted by the
project itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Robert,
I believe it should considering it would affect the WASC brand as part
of its promotion?
On Wed, Nov 14, 2012 at 9:26 AM, Robert A. robert@webappsec.org wrote:
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich
I know who is WAFEC target audience, however I wonder what would a paid
workshop on WAFEC include.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Wednesday, November 14, 2012 12:20 AM
To: Ofer Shezaf
Cc: Achim Hoffmann; wasc-wafec@lists.webappsec.org
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at
AppSec EU2013
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc preforming
independent verification of WAFEC against WAF Vendor claim on behalf of an
end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the specific end
user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
I tend to agree. Generally speaking building a training material might be a
task within a project, however I am not sure how this would work for WAFEC.
~ Ofer
-----Original Message-----
From: Robert A. [mailto:robert@webappsec.org]
Sent: Wednesday, November 14, 2012 12:26 AM
To: Christian Heinrich
Cc: Ofer Shezaf; wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WASC/OWASP Web, Application Firewall Evaluation
Criteria at AppSec EU2013
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec
.org
For some context.
Historically WASC has created content but hasn't promoted a product, service, workshop, or training event as part of the project. The purpose
of this is to remain vendor neutral as an organization. WASC's members have supported such things on their own (if they want), but the group as a
whole has never discussed supporting an event/product/service as part of a project.
I'm not trying to discourage such communication, just that we don't find ourselves doing this on behalf of WASC (without an officer vote since
this would be setting a precident).
Ofer,
Comments/opinion?
Regards,
- Robert
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Robert,
I believe it should considering it would affect the WASC brand as part
of its promotion?
On Wed, Nov 14, 2012 at 9:26 AM, Robert A. robert@webappsec.org wrote:
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich
Ofer,
On Wed, Nov 14, 2012 at 9:30 AM, Ofer Shezaf ofer@shezaf.com wrote:
I know who is WAFEC target audience, however I wonder what would a paid
workshop on WAFEC include.
I suspect it would be similar to being listed at
https://www.owasp.org/index.php/OWASP_Related_Commercial_Services i.e.
WASC would accredit NSS, ICSA, etc once they have attended the
workshop.
Another idea I just thought of would be to evaluate (as an example)
https://www.ironbee.com/ against WAFEC with the intended audience
being those who have no experience with (as an example)
https://www.ironbee.com/ hence they learn about both WAFEC and (as an
example) https://www.ironbee.com/ in the workshop.
--
Regards,
Christian Heinrich
Christian,
I figured it out finally! The English accent you have is not Australian, it
is URLese! :-)
To the point:
-
I think that your idea about creating a workshop based on a test case of
evaluating an open source WAF based on WAFEC is a good one. I would choose
ModSecurity as it would be of interest to more people. As mentioned by
Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
individual initiative. The closest we can get is creating the training
materials. If there is a volunteer to do so, I am willing to do include
creating such training material it in the project scope. -
As to certifying test labs to do WAFEC evaluation: I think we should
socialize WAFEC with them to use it as a reference is their work. Actual
certification is complex, prone to create problems (legal comes to mind) and
would probably not be endorsed by ICSA and NSS unless we make WAFEC
ubiquitous. OWASP did not progress in this respect in any project as far as
I know even though the issue is raised from time to time. To sum up: this is
not something we ready for.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Wednesday, November 14, 2012 4:02 AM
To: Ofer Shezaf
Cc: Achim Hoffmann; wasc-wafec@lists.webappsec.org
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at
AppSec EU2013
Ofer,
On Wed, Nov 14, 2012 at 9:30 AM, Ofer Shezaf ofer@shezaf.com wrote:
I know who is WAFEC target audience, however I wonder what would a
paid workshop on WAFEC include.
I suspect it would be similar to being listed at
https://www.owasp.org/index.php/OWASP_Related_Commercial_Services i.e.
WASC would accredit NSS, ICSA, etc once they have attended the workshop.
Another idea I just thought of would be to evaluate (as an example)
https://www.ironbee.com/ against WAFEC with the intended audience being
those who have no experience with (as an example) https://www.ironbee.com/
hence they learn about both WAFEC and (as an
example) https://www.ironbee.com/ in the workshop.
--
Regards,
Christian Heinrich
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was,
as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has
to pay for.
However, I'm open to manage that too, but that should cover more than one product
to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
Achim
Am 13.11.2012 23:20, schrieb Christian Heinrich:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
...
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
Certainly. I think that this is what I understood as well. As a suggestion, maybe in order to provide context for such a workshop it can be set up as a panel (vendors or othes).
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Wednesday, November 14, 2012 6:46 PM
To: wasc-wafec@lists.webappsec.org
Cc: Christian Heinrich; Ofer Shezaf
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at AppSec EU2013
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was, as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has to pay for.
However, I'm open to manage that too, but that should cover more than one product to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
Achim
Am 13.11.2012 23:20, schrieb Christian Heinrich:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
...
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can
reserve a slot for a talk/presentation and also for a one or half day training or workshop.
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the
core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was
growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits
rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry
Server from United Security Providers. Its a good filtering technique to check
the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is
no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I
think an organisation has an interest in defining types of data which must not
leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm
not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and
the use case. As a common minium I see "do something more than a traditional
firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Hi Erwin,
The document I shared is only an outline. I included some text to make the sections intention more clear but there are in no way comprehensive. The people volunteering to write the different sections will fill them in and I am sure would take into consideration your input.
To that end: do you want to take one of the remaining chapters to write? Should I list you on the contributors page (http://projects.webappsec.org/w/page/54150727/WAFEC%202)
I do have a few of your remarks outside of the context of a specific chapter:
-
We regard to your additions to the use cases chapter: we had a discussion about what to include in the definition and use cases for a WAF . This is not an easy subject and also prone to vendor bias (for each vendor the functionality they provide is a WAF). The decision was to be restrictive to application protection as described in chapter 3 (which itself is still not written). As other features can be very beneficial to the customer as well, even for security, we decided to include all those in an appendix (6.1, "Integrated functionality"). In this framework, each of the additional features you suggest (Authorization and Authentication, DLP, Architecture masking, load balancing and application monitoring are those I notices) should find their place in either section 3.3 if they offer a protection technique or in section 6.1 if they are complementary and of value but do not cover a threat.
-
Minimum requirements is indeed a challenging section, however I think it is important. Otherwise you will find that any IPS or network firewall can be labeled as a WAF (or an Espresso Machine :-))
-
Section 4.3 address compatibility with web applications rather than addition features for application delivery.
~ Ofer
-----Original Message-----
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Thursday, November 15, 2012 11:58 AM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: WAFEC 2 outline
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry Server from United Security Providers. Its a good filtering technique to check the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I think an organisation has an interest in defining types of data which must not leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and the use case. As a common minium I see "do something more than a traditional firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Hi Ofer
Thank you for your explanations.
I understand the neutrality vs. vendor conflict - I think there is no "real" objective view. Anyone has its own use cases and own solutions in mind - whether he is a vendor, a user of some concrete implementations or a consultant which likes some concepts and dislikes others.
When I have a look at the use cases ("Logging and Troubleshooting", "Attack Detection", "Attack Mitigation" and "Virtual Patching") then I think: why is "Virtual Patching" a use case for its own? Isn't it a specialized attack mitigation? The difference in virtual patching is, that you know exactly what vulnerability the application has. In general mitigation you don't have to know that. In my eyes Authentication is a real "other" security use case not just a specialized use case. I won't insist on that - just my thoughts.
I see the argumentation of "minimum requirements" - yes an Espresso Machine must not be mistaken as a WAF ;-) Good argumentation. I think the differenciation should go into the "2.1 Definition". I understand a "definition" as more specific than minimal requirements. What would be written in one paragraph what doesn't fit in the other? There is a risk of writing twice the same in different words.
OK, security features are placed i n3.3 - other features in 6.1. The outline draft mentions "6.1 Non-Technical Criteria". The non-technical criteria are important - I would not skip that. So there is another 6.1 chapter? Since features are a technical criteria.
I volunteer to write the appendix "Additional Features", "Alternative and Complementary Solutions", "Non-technical criteria". In the moment I can't estimate "Testing Framework" and "Suggested Weighting Schemes". Maybe it's also possible for me to do - can you explain the ideas?
erwin
----- Original Message -----
From: "Ofer Shezaf" ofer@shezaf.com
To: "Erwin Huber" erwin.huber@ergon.ch
Cc: wasc-wafec@lists.webappsec.org
Sent: Thursday, November 15, 2012 9:21:38 PM
Subject: RE: WAFEC 2 outline
Hi Erwin,
The document I shared is only an outline. I included some text to make the sections intention more clear but there are in no way comprehensive. The people volunteering to write the different sections will fill them in and I am sure would take into consideration your input.
To that end: do you want to take one of the remaining chapters to write? Should I list you on the contributors page (http://projects.webappsec.org/w/page/54150727/WAFEC%202)
I do have a few of your remarks outside of the context of a specific chapter:
-
We regard to your additions to the use cases chapter: we had a discussion about what to include in the definition and use cases for a WAF . This is not an easy subject and also prone to vendor bias (for each vendor the functionality they provide is a WAF). The decision was to be restrictive to application protection as described in chapter 3 (which itself is still not written). As other features can be very beneficial to the customer as well, even for security, we decided to include all those in an appendix (6.1, "Integrated functionality"). In this framework, each of the additional features you suggest (Authorization and Authentication, DLP, Architecture masking, load balancing and application monitoring are those I notices) should find their place in either section 3.3 if they offer a protection technique or in section 6.1 if they are complementary and of value but do not cover a threat.
-
Minimum requirements is indeed a challenging section, however I think it is important. Otherwise you will find that any IPS or network firewall can be labeled as a WAF (or an Espresso Machine :-))
-
Section 4.3 address compatibility with web applications rather than addition features for application delivery.
~ Ofer
-----Original Message-----
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Thursday, November 15, 2012 11:58 AM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: WAFEC 2 outline
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry Server from United Security Providers. Its a good filtering technique to check the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I think an organisation has an interest in defining types of data which must not leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and the use case. As a common minium I see "do something more than a traditional firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Ofer,
On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf ofer@shezaf.com wrote:
To the point:
- I think that your idea about creating a workshop based on a test case of
evaluating an open source WAF based on WAFEC is a good one. I would choose
ModSecurity as it would be of interest to more people. As mentioned by
Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
individual initiative. The closest we can get is creating the training
materials. If there is a volunteer to do so, I am willing to do include
creating such training material it in the project scope.
I believe selecting ModSecurity as the sole example is too much of a
risk to WAFEC based on the continued corrupt conduct of Tom Brennan
(Trustwave and OWASP Board) as demonstrated within
http://lists.owasp.org/pipermail/global-projects-committee/2011-September/002349.html,
etc
That stated and based on your long association with ModSecurity with
Breach i.e. https://www.trustwave.com/pressReleases.php?n=062210
there would be some value. Therefore, I believe we should open this
to other Open Source WAF examples, such as https://www.ironbee.com/,
etc to make it fair to other open source vendors.
On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf ofer@shezaf.com wrote:
- As to certifying test labs to do WAFEC evaluation: I think we should
socialize WAFEC with them to use it as a reference is their work. Actual
certification is complex, prone to create problems (legal comes to mind) and
would probably not be endorsed by ICSA and NSS unless we make WAFEC
ubiquitous. OWASP did not progress in this respect in any project as far as
I know even though the issue is raised from time to time. To sum up: this is
not something we ready for.
I agree with the above. Ironically, the creator of their (OWASP)
Commercial Registry was also involved with Common Criteria and he left
the project and OWASP due to continued conflict with Dinis Cruz, who
continues to make hypocritical statements about OWASP to this day.
I would prefer that our roadmap included socialising with ICSA, NSS,
etc for this upcoming release (v2) and the next release (v3) it is an
endorsed standard. Obviously ICSA, NSS, etc could advise on what is
required and possibly sponsor WAFEC's delivery on this second point.
--
Regards,
Christian Heinrich
Achim,
It is interesting to note that OWASP blew $246,636.04 of vendor (i.e.
what OWASP accuse WASC of being) donations on their last (2nd) Summit
i.e. https://lists.owasp.org/pipermail/committees-chairs/2011-July/000322.html
without any promised tangible result or outcome i.e.
http://lists.owasp.org/pipermail/owasp-summit-2011/2010-August/000025.html,
http://appsandsecurity.blogspot.com.au/2011/02/another-owasp-paperware-project-anyone.html,
etc but at least the wife gets a holiday for free
https://www.owasp.org/index.php/Summit_2011/External_Contractors#Sarah_Cruz
I am not against having a summit (at OWASP or somewhere else) provided
we avoid the poor and deliberate mistakes that OWASP has made time and
time again.
Let's wait until we get the draft together and then raise the
possibility of meeting in person. If this is well before July, and it
should be, then let's aim for
https://www.owasp.org/index.php/AppSecEU2013 to discuss the final
version of WAFEC v2?
On Thu, Nov 15, 2012 at 3:45 AM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was,
as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has
to pay for.
However, I'm open to manage that too, but that should cover more than one product
to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
--
Regards,
Christian Heinrich
Robert,
On Wed, Nov 14, 2012 at 9:34 AM, Robert A. robert@webappsec.org wrote:
I'm not trying to discourage such communication, just that we don't find
ourselves doing this on behalf of WASC (without an officer vote since this
would be setting a precident).
I would agree that it needs to go to a (WASC Office Bearer) vote but
would like this considered on the context that it is socialised with
NSS, ISCA, etc first so that all the facts and information are known
during the development of WAFEC v3.
--
Regards,
Christian Heinrich