[WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
mestrade at apache.org
Sat Nov 17 12:04:56 EST 2012
Hi Thom, list J
Im not sure (my English is bad) but I never said, or I wouldnt like to
said that OWASP was doing bad job in my previous email.
About OWASP/WASC, my first point was you cant compare an organization like
WASC, focused on providing documents about web app security products, with a
big organization like OWASP with board elections, internal process,
sponsorship program, chapters all over the world doing events, providing
documents, tools etc. And for me, two differents organizations driving a
common project can introduce some leading problem.
What is important for me is to keep WAFEC simple, as the v1 was, and not
transform it in a bigger and more complex document.
So a team working on improving content, using the mailing list, driven by
Ofer is for me a good deal.
Keeping it in WASC only is for me the way to keep the WASC spirit on WAFEC.
Here again, not because OWASP is doing bad job, just to limit side-effect of
two organizations driving a project.
Hope I was more clear J if not, feel free to answer.
De : Thomas Brennan [mailto:TBrennan at trustwave.com]
Envoyé : samedi 17 novembre 2012 17:02
À : Matthieu Estrade
Cc : Ofer Shezaf; wasc-wafec at lists.webappsec.org
Objet : Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Interesting thread; can you help me understand with clarification on two of
1 - "But merging project is imho not a good idea because its not driven the
same way, WASC and OWASP are totally different organizations."
Explain this; both are non-profits (OWASP had the same question that is
happening here and this was approved on our side) what is different about
the focus with the builder, breaker and defender buckets at OWASP it has a
little something for everyone these days focused on software security in all
Size is totally different, internal process, decisions, elections etc.
2 - "OWASP get vendors sponsorship and is also providing tools like
You mean supporters that include Boeing, UPS, FedEx, Best Buy, Mozilla, US
DHS, and 40+ Universities and industry providers is bad for the platform? Or
are you referring to OWASP investing in its core projects on behalf of our
Perception is reality so if we (OWASP Hat) are not doing a good job on the
public image I'm all ears/eyes I'll bring it to our board meetings were OPEN
The core community is so small working together as a professionals is
important to awareness regardless of the association flag and occasional
troll to the independant missions.
Obviously as a long time list(s) member I support this regardless of who I
work for (Disclaimer; Trustwave SpiderLabs the caretaker of the Apache
licensed Mod_Security and elected by membership OWASP volunteer)
Feel free to take this off-list if you want but others may also be
Enjoy the weekend.
On Nov 17, 2012, at 9:14 AM, "Matthieu Estrade" <mestrade at apache.org> wrote:
Sorry for my late answer.
WASC is doing WAFEC and OWASP is also doing good job on WAF subject too. But
merging project is imho not a good idea because its not driven the same
way, WASC and OWASP are totally different organizations.
WASC is providing documents about web application security and stay vendors
neutral. OWASP get vendors sponsorship and is also providing tools like
Im involved in WASC but I was also in OWASP French chapter, not for the
same goal and the same actions.
Then, to see so much discussion on this topic during the latest 2 weeks and
only 3 emails on the WAFEC 2 content, I would like to end this OWASP/WASC
topic and work on the real subject as soon as possible J
WAFEC 1 is well known not because of vendors inside, but because of the
content and how its used by people evaluating WAF.
Speaking as a vendor, more than 50% of people evaluating our product are
using WAFEC based document. They need something updated.
Speaking as an Opensource guy, my only goal Is make WAFEC 2 up to date with
new __security criteria__ we are now dealing with to make people doing the
GOOD choice on what they need.
If others project want to use it as a referral, thats a good thing. We will
also be able to point on others projects in WAFEC.
But a common project is imho not a good idea, the final cut must stay to the
WAFEC project leader. We dont have enough community rules to drive it with
votes. Too complex, endless
Just look at this endless discussion on only one topic, what will happen on
each technical point ? We will release WAFEC 2 in 2016
I would prefer to start serious discussion with OWASP to see how we could
promote together our work.
So I vote to NO.
De : wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] De la part
de Ofer Shezaf
Envoyé : lundi 12 novembre 2012 11:18
À : wasc-wafec at lists.webappsec.org
Objet : [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers. The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
· Making it happen we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
· Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
help popularize WAFEC also with customers, which I think is very good for
I must say I think it would be hard for me to complete the project
[+972-54-4431119; ofer at shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec at lists.webappsec.org
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wasc-wafec