[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

Thomas Brennan TBrennan at trustwave.com
Sat Nov 17 11:01:33 EST 2012

Interesting thread; can you help me understand with clarification on two of your statements;

1 - "But merging project is imho not a good idea because it’s not driven the same way, WASC and OWASP are totally different organizations."

Explain this; both are non-profits (OWASP had the same question that is happening here and this was approved on our side) what is different about the focus with the builder, breaker and defender buckets at OWASP it has a little something for everyone these days focused on software security in all forms.

2 - "OWASP get vendors sponsorship and is also providing tools like vendors…"

You mean supporters that include Boeing, UPS, FedEx, Best Buy, Mozilla, US DHS, and 40+ Universities and industry providers is bad for the platform? Or are you referring to OWASP investing in its core projects on behalf of our mission https://www.owasp.org/index.php/Projects_Reboot_2012

Perception is reality so if we (OWASP Hat) are not doing a good job on the public image I'm all ears/eyes I'll bring it to our board meetings were OPEN


The core community is so small working together as a professionals is important to awareness regardless of the association flag and occasional troll to the independant missions.

Obviously as a long time list(s) member I support this regardless of who I work for (Disclaimer; Trustwave SpiderLabs the caretaker of the Apache licensed Mod_Security and elected by membership OWASP volunteer)

Feel free to take this off-list if you want but others may also be interested.

Enjoy the weekend.

Tom Brennan

On Nov 17, 2012, at 9:14 AM, "Matthieu Estrade" <mestrade at apache.org<mailto:mestrade at apache.org>> wrote:

Hi all,

Sorry for my late answer.

WASC is doing WAFEC and OWASP is also doing good job on WAF subject too. But merging project is imho not a good idea because it’s not driven the same way, WASC and OWASP are totally different organizations.

WASC is providing documents about web application security and stay vendors neutral. OWASP get vendors sponsorship and is also providing tools like vendors…
I’m involved in WASC but I was also in OWASP French chapter, not for the same goal and the same actions.

Then, to see so much discussion on this topic during the latest 2 weeks and only 3 emails on the WAFEC 2 content, I would like to end this OWASP/WASC topic and work on the real subject as soon as possible :)

WAFEC 1 is well known not because of vendors inside, but because of the content and how it’s used by people evaluating WAF.
Speaking as a vendor, more than 50% of people evaluating our product are using WAFEC based document. They need something updated.
Speaking as an Opensource guy, my only goal Is make WAFEC 2 up to date with new __security criteria__ we are now dealing with to make people doing the GOOD choice on what they need.

If others project want to use it as a referral, that’s a good thing. We will also be able to point on others projects in WAFEC.
But a common project is imho not a good idea, the final cut must stay to the WAFEC project leader. We don’t have enough community rules to drive it with votes. Too complex, endless…
Just look at this endless discussion on only one topic, what will happen on each technical point ? We will release WAFEC 2 in 2016…

I would prefer to start serious discussion with OWASP to see how we could promote together our work.

So I vote to NO.


De : wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] De la part de Ofer Shezaf
Envoyé : lundi 12 novembre 2012 11:18
À : wasc-wafec at lists.webappsec.org<mailto:wasc-wafec at lists.webappsec.org>
Objet : [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

Hi All,

As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.

The proposed guidelines for this more are (updated based on comments from the group and WASC officers):

•         The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria".

•         Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder).

•         Participation is open for all and does not require being an OWASP or a WASC member.

Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)

Now for my voting pitch:

I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:


•         Making it happen – we need more people. I now have two chapter assigned and many are still waiting.  Joining hands with OWASP will make joining the project appealing to many more people.

•         Outreach – people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences.

•         Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will

help popularize WAFEC also with customers, which I think is very good for the project.

I must say I think it would be hard for me to complete the project successfully otherwise.

~ Ofer

Ofer Shezaf
[+972-54-4431119; ofer at shezaf.com<mailto:ofer at shezaf.com>, www.shezaf.com<http://www.shezaf.com>]

wasc-wafec mailing list
wasc-wafec at lists.webappsec.org<mailto:wasc-wafec at lists.webappsec.org>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20121117/7991964f/attachment-0003.html>

More information about the wasc-wafec mailing list