[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

Ofer Shezaf ofer at shezaf.com
Tue Nov 13 01:19:42 EST 2012

Bob and Jeremiah,

For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight  (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.

Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion.  People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a

Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections. 

~ Ofer

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec at lists.webappsec.org;
wasc-members at webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

On Nov 12, 2012, at 1:28 PM, Robert A. wrote:

>> On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>> .         The name, when affiliation is used, would be "The WASC/OWASP
>>> Application Firewall Evaluation Criteria".
>> This doesn't resolve the issue around the (false) vendor perception 
>> of WASC, since "WASC" would still be quoted within the project title.
>> Hence, I would recommend that we remove "WASC" and give complete 
>> project ownership to OWASP i.e. "The OWASP Web Application Firewall 
>> Evaluation Criteria" otherwise this (false) perception would remain?
> If there's a perception issue of WASC (which I haven't seen for a few 
> years now myself), I don't think the answer is for us to abandon our 
> sucessful projects entirely to OWASP. If I'm misunderstanding please 
> let me know.
> Open to Ofer's thoughts.
> Regards,
> - Robert Auger

Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.

Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.



More information about the wasc-wafec mailing list