[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

Matthieu Estrade mestrade at apache.org
Sat Nov 17 09:14:30 EST 2012

Hi all,


Sorry for my late answer.


WASC is doing WAFEC and OWASP is also doing good job on WAF subject too. But
merging project is imho not a good idea because it’s not driven the same
way, WASC and OWASP are totally different organizations.


WASC is providing documents about web application security and stay vendors
neutral. OWASP get vendors sponsorship and is also providing tools like

I’m involved in WASC but I was also in OWASP French chapter, not for the
same goal and the same actions.


Then, to see so much discussion on this topic during the latest 2 weeks and
only 3 emails on the WAFEC 2 content, I would like to end this OWASP/WASC
topic and work on the real subject as soon as possible J


WAFEC 1 is well known not because of vendors inside, but because of the
content and how it’s used by people evaluating WAF.

Speaking as a vendor, more than 50% of people evaluating our product are
using WAFEC based document. They need something updated.

Speaking as an Opensource guy, my only goal Is make WAFEC 2 up to date with
new __security criteria__ we are now dealing with to make people doing the
GOOD choice on what they need. 


If others project want to use it as a referral, that’s a good thing. We will
also be able to point on others projects in WAFEC.

But a common project is imho not a good idea, the final cut must stay to the
WAFEC project leader. We don’t have enough community rules to drive it with
votes. Too complex, endless

Just look at this endless discussion on only one topic, what will happen on
each technical point ? We will release WAFEC 2 in 2016


I would prefer to start serious discussion with OWASP to see how we could
promote together our work.


So I vote to NO.




De : wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] De la part
de Ofer Shezaf
Envoyé : lundi 12 novembre 2012 11:18
À : wasc-wafec at lists.webappsec.org
Objet : [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project



Hi All,


As promised I am opening the vote for making WAFEC a joined WASC and OWASP


The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):

·         The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".

·         Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers. The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).

·         Participation is open for all and does not require being an OWASP
or a WASC member.


Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)


Now for my voting pitch:


I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:



·         Making it happen – we need more people. I now have two chapter
assigned and many are still waiting.  Joining hands with OWASP will make
joining the project appealing to many more people.


·         Outreach – people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global


·         Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will

help popularize WAFEC also with customers, which I think is very good for
the project.


I must say I think it would be hard for me to complete the project
successfully otherwise. 


~ Ofer


Ofer Shezaf

[+972-54-4431119; ofer at shezaf.com, www.shezaf.com]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20121117/9154ac7c/attachment-0003.html>

More information about the wasc-wafec mailing list