[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
websec10 at sic-sec.org
Tue Nov 13 10:20:11 EST 2012
I fully agree with Jeremiah (as I remember the work on TCv1:)
For WAFEC we need the vendors as they can provide the most detailled information
on some technical things which needs to be described correctly.
So far the concerns about "vendor biased comments" have been discussed on this list
and there is (at least seems to be) an agreement that very vendor-specific items
and not directly WAF-related items are put together in an Appendix (see mails from
Ofer and Christian).
Just my 2 pence ...
Am 13.11.2012 15:28, schrieb Jeremiah Grossman:
> I agree. This issue, if indeed it even is an issue, is part of a larger discussion about WASC and beyond WAFEC. I'm happy to share my opinion on the matter here.
> WASC started as a group of people that had a vested interested in solving a particular problem in the industry, at the time, a nomenclature issue. Consumers were confused by the differing jargon between "us vendors." Again, at the time. So we got together to solve that problem problem in the shape of the Threat Classification. During the process of v1 and v2 of the project, of course no one… including non-vendors, were excluded from participating. What was most important was that the best experts in the world participated, who yes also happened to work for vendors, collectively created something really good that could be quickly adopted. And, it worked.
> WAFEC is essentially identical in this regard. That to me, is what WASC does. Each project operates extremely independently, with only the bare minimum of necessary oversight from the Officers.
> So, while their may or may not be a vendor stigma associated to WASC, it hasn't prevent us from bringing together enough of the right kind people with a vested interest in solving a problem. As is demonstrated here inside WAFEC. It hasn't prevented the creation and adoption of its projects. Perhaps the issue has prevented us from being successful in other ways, but not in the ways we valued most as an organization. WASC fills a very particular niche.
> Simply the opinion of 1 WASC officer...
> On Nov 12, 2012, at 10:19 PM, Ofer Shezaf wrote:
>> Bob and Jeremiah,
>> For better or worse I would not give Christian suggestion to keep only OWASP
>> in the name a lot of weight (sorry Christian). It is not a general opinion
>> but a single voice. As Christian has reservations about OWASP and hence a
>> joined project , I would take it is away to convey his (valid) opinion about
>> the initiative.
>> Whether or not WASC carries a vendor perception is worth discussing,
>> probably more generally than the context of this thread and in the officers
>> list. However I would add that I don't see it necessarily as an issue but
>> rather stating an opinion. People seem to prefer being able to classify
>> things in order to give them differentiating value and compartmentalizing
>> WASC in such a way makes it easier for people to relate. We may want to
>> divert that to "Security Gurus" categorization, but we certainly want a
>> Specifically for WAFEC the vendor perspective is less a perspective and more
>> evident: on the WAFEC contributor list, more than half represent WAF
>> vendors. The same is true for people volunteering so far to write sections.
>> ~ Ofer
>> -----Original Message-----
>> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>> Sent: Tuesday, November 13, 2012 2:40 AM
>> To: Robert A.
>> Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec at lists.webappsec.org;
>> wasc-members at webappsec.org
>> Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
>> On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
>>>> On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>>>> . The name, when affiliation is used, would be "The WASC/OWASP
>>>>> Application Firewall Evaluation Criteria".
>>>> This doesn't resolve the issue around the (false) vendor perception
>>>> of WASC, since "WASC" would still be quoted within the project title.
>>>> Hence, I would recommend that we remove "WASC" and give complete
>>>> project ownership to OWASP i.e. "The OWASP Web Application Firewall
>>>> Evaluation Criteria" otherwise this (false) perception would remain?
>>> If there's a perception issue of WASC (which I haven't seen for a few
>>> years now myself), I don't think the answer is for us to abandon our
>>> sucessful projects entirely to OWASP. If I'm misunderstanding please
>>> let me know.
>>> Open to Ofer's thoughts.
>>> - Robert Auger
>> Some may have this perception of WASC, no matter how underserving it is.
>> Despite this, WASC projects have a very high adoption rate in the industry
>> by nature of the way the organization do things. This speaks to deliverable
>> quality, and to me, this is what ultimately matters the most. This is what I
>> wish for this project. When this many of the right kind of experts are
>> brought together under a highly collaborative and peer reviewed environment,
>> you can't help but get this outcome.
>> Of course as this is an all volunteer project, people are of course free
>> choose to contribute their time whenever and wherever they choose. Having
>> said that, this is a project that "WASC" has voted to create and something
>> it's committed to keeping under it's label. While it's never been done
>> before, there is nothing technically preventing a collaborative project with
>> OWASP provided that's what the group chooses to do.
More information about the wasc-wafec