[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project

Ofer Shezaf ofer at shezaf.com
Sat Nov 17 11:29:12 EST 2012


Thanks Tom, I personally agree with you and does not fully understand
Matthieu and Stefano remarks. One statement Stefano made that does require
addressing is about lack of Consensus: it is a vote and I did not seek
consensus. That said, up to now I listed 14 Yes voters, and until today
nobody apart from Christian opposed (and even he never said “no”, though one
may surmise that at this point).


One area I do agree with Matthieu on is that I want to move to actual work.
To that end: please try to limit your participation in this discussion to
voting (Yes or No). Note that I did not “interpret” opinions as votes, so if
you did not explicitly vote I did not list you here:


~ Ofer


From: Thomas Brennan [mailto:TBrennan at trustwave.com] 
Sent: Saturday, November 17, 2012 6:02 PM
To: Matthieu Estrade
Cc: Ofer Shezaf; wasc-wafec at lists.webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project


Interesting thread; can you help me understand with clarification on two of
your statements;


1 - "But merging project is imho not a good idea because it’s not driven the
same way, WASC and OWASP are totally different organizations."


Explain this; both are non-profits (OWASP had the same question that is
happening here and this was approved on our side) what is different about
the focus with the builder, breaker and defender buckets at OWASP it has a
little something for everyone these days focused on software security in all


2 - "OWASP get vendors sponsorship and is also providing tools like


You mean supporters that include Boeing, UPS, FedEx, Best Buy, Mozilla, US
DHS, and 40+ Universities and industry providers is bad for the platform? Or
are you referring to OWASP investing in its core projects on behalf of our
mission https://www.owasp.org/index.php/Projects_Reboot_2012


Perception is reality so if we (OWASP Hat) are not doing a good job on the
public image I'm all ears/eyes I'll bring it to our board meetings were OPEN




The core community is so small working together as a professionals is
important to awareness regardless of the association flag and occasional
troll to the independant missions.


Obviously as a long time list(s) member I support this regardless of who I
work for (Disclaimer; Trustwave SpiderLabs the caretaker of the Apache
licensed Mod_Security and elected by membership OWASP volunteer)


Feel free to take this off-list if you want but others may also be


Enjoy the weekend. 


Tom Brennan 



On Nov 17, 2012, at 9:14 AM, "Matthieu Estrade" <mestrade at apache.org
<mailto:mestrade at apache.org> > wrote:

Hi all,


Sorry for my late answer.


WASC is doing WAFEC and OWASP is also doing good job on WAF subject too. But
merging project is imho not a good idea because it’s not driven the same
way, WASC and OWASP are totally different organizations.


WASC is providing documents about web application security and stay vendors
neutral. OWASP get vendors sponsorship and is also providing tools like

I’m involved in WASC but I was also in OWASP French chapter, not for the
same goal and the same actions.


Then, to see so much discussion on this topic during the latest 2 weeks and
only 3 emails on the WAFEC 2 content, I would like to end this OWASP/WASC
topic and work on the real subject as soon as possible :)


WAFEC 1 is well known not because of vendors inside, but because of the
content and how it’s used by people evaluating WAF.

Speaking as a vendor, more than 50% of people evaluating our product are
using WAFEC based document. They need something updated.

Speaking as an Opensource guy, my only goal Is make WAFEC 2 up to date with
new __security criteria__ we are now dealing with to make people doing the
GOOD choice on what they need. 


If others project want to use it as a referral, that’s a good thing. We will
also be able to point on others projects in WAFEC.

But a common project is imho not a good idea, the final cut must stay to the
WAFEC project leader. We don’t have enough community rules to drive it with
votes. Too complex, endless

Just look at this endless discussion on only one topic, what will happen on
each technical point ? We will release WAFEC 2 in 2016


I would prefer to start serious discussion with OWASP to see how we could
promote together our work.


So I vote to NO.




De : wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] De la part
de Ofer Shezaf
Envoyé : lundi 12 novembre 2012 11:18
À : wasc-wafec at lists.webappsec.org <mailto:wasc-wafec at lists.webappsec.org> 
Objet : [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project



Hi All,


As promised I am opening the vote for making WAFEC a joined WASC and OWASP


The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):

*         The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".

*         Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers. The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).

*         Participation is open for all and does not require being an OWASP
or a WASC member.


Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)


Now for my voting pitch:


I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:



*         Making it happen – we need more people. I now have two chapter
assigned and many are still waiting.  Joining hands with OWASP will make
joining the project appealing to many more people.


*         Outreach – people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global


*         Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will

help popularize WAFEC also with customers, which I think is very good for
the project.


I must say I think it would be hard for me to complete the project
successfully otherwise. 


~ Ofer


Ofer Shezaf

[+972-54-4431119; ofer at shezaf.com <mailto:ofer at shezaf.com> , www.shezaf.com
<http://www.shezaf.com> ]


wasc-wafec mailing list
wasc-wafec at lists.webappsec.org <mailto:wasc-wafec at lists.webappsec.org> 



This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20121117/4f67feae/attachment-0003.html>

More information about the wasc-wafec mailing list