[WASC-WAFEC] WAFEC workshop in Athens

Christian Heinrich christian.heinrich at cmlh.id.au
Sun Nov 18 01:33:59 EST 2012


Ofer,

As OWASP are refusing to address this (which is clearly expected but
disappointing) I would like to add
http://www.cigital.com/justice-league-blog/2011/09/24/suggestions-for-esapi-2-1-and-beyond/
point of view in light of the claim that ESAPI is considered a
http://sourceforge.net/owasp/projects/Flagship/ which included
http://code.google.com/p/owasp-java-waf/ until Jim, Juan and I
separated it from ESAPI.

WASC should request that WAFEC be listed as a
http://sourceforge.net/owasp/projects/Flagship/ also.

https://lists.owasp.org/pipermail/esapi-dev/2011-August/001920.html
would also provide further supporting evidence of Aspect Security
abuse of their position within the OWASP GPC i.e. both Jason Li, Juan
and  Arshan Dabirsiaghi are employees of Aspect Security and neither
has Juan made any progress with OWASP-Java-WAF since this dreadful
takeover from Jason Li i.e. since 1 August 2011 as per
http://code.google.com/p/owasp-java-waf/source/detail?r=7, yet ESAPI
is considered a Flagship Project and this isn't the first time Aspect
Security have been questioned on this appalling governance i.e.
http://lists.owasp.org/pipermail/owasp-board/2012-March/010800.html
(Jim Manico is a former Aspect Security employee).

I would also encourage you to listen to
https://www.owasp.org/download/jmanico/owasp_podcast_88.mp3 and aside
from the numerous project management mistakes that the GPC had made I
would encourage you to pay attention to where Jason Li clearly states
that the GPC does not interfere with the community of developers
around OWASP Projects yet Aspect Security consistently do this time
and time again as demonstrated above.

The OWASP GPC will do the deliver the same negative experience to WAFEC.

On Sun, Aug 26, 2012 at 6:41 PM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Ofer,
>
> In light of their acknowledged poor WAF "source code" implementation
> (which OWASP tried to improve) and my positive proposal to consider it
> as part of WAFEC in light of its shortcomings i.e.
> https://lists.owasp.org/pipermail/esapi-dev/2011-March/001652.html
> then I can't provide comment on what improvements could be made to our
> (i.e. WAFEC/WASC) standing with OWASP without further objective
> information since I was not present at this OWASP session in Athens.
>
> I will encourage both Dr. Dirk Wetter and/or Sebastian Deleersnyder to
> provide their viewpoint?
>
> Apologies in the delay in responding but I am having trouble accessing
> "personal" internet during the weekdays due to my work location at the
> moment.  So expect my next reply to be sometime next weekend i.e. from
> 1 September
>
> On Sun, Aug 19, 2012 at 10:06 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>> Christian,
>>
>> It has nothing to do with OWASP. It's a basic right of the people
>> themselves. I am not saying they would object, I just don't see a huge value
>> in listing them given that I did not ask their permission in the 1st place.
>>
>> ~ Ofer
>>
>>
>> -----Original Message-----
>> From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au]
>> Sent: Sunday, August 19, 2012 1:34 PM
>> To: Ofer Shezaf
>> Cc: wasc-wafec at lists.webappsec.org
>> Subject: Re: [WASC-WAFEC] WAFEC workshop in Athens
>>
>> Ofer,
>>
>> I don't believe that OWASP would have an issue with publishing the names of
>> the others attendees considering the "O" in OWASP refers to "Open" in the
>> context of transparency.
>>
>> Perhaps Dr. Dirk Wetter and/or Sebastian Deleersnyder may recall their
>> names?
>>
>> On Sun, Aug 19, 2012 at 8:25 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>>As to the other 4, I neglected to write down a list or  ask them if
>>>they allow me to publish their participation.



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list