[WASC-WAFEC] WAFEC mailing list changed to "emergency moderation" mode

Ofer Shezaf ofer at shezaf.com
Mon Nov 19 08:31:02 EST 2012

Hi All,

I have used mailman aptly named "emergency moderation" mode, which mailman
manual suggest to "Turn this option on when your list is experiencing a
flamewar and you want a cooling off period.". While I don't want this to be
the normal mode of things, I think it is best for WAFEC success at this

Andrew - nothing personal - I understand how hard it is to avoid answering,
it is just that I feel this would open another can of worms not relevant to
this list.

~ Ofer

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf
Of vanderaj vanderaj
Sent: Monday, November 19, 2012 3:15 PM
To: wasc-wafec at lists.webappsec.org
Subject: [WASC-WAFEC] Links to history

Hi folks,

I note that Christian again brings me up as some sort of evidence against
Aspect or someone or some company doing something I really don't understand
or care about. I don't know why there is such a focus on this stuff and the
past, but it's just absolute rubbish.

Christian, please stop referring to me in your mails about OWASP.
There's no conspiracy here when everything you posit is more easily
explained by changes in personal lives (like my daughter being born, moving
countries, marital situation associated with a  health issue I'm not going
to disclose on a public mailing list, personal interests changing, and when
the personal itch to do something evaporates.) Folks come and go from all
vibrant open source projects. That is expected and natural.

What is not expected is that I would be brought up as some sort of evidence
of I don't know what on a project I have nothing really to do with, but wish
only the best for. I bet this noise is a distraction that the WAFEC
contributors could easily do without.

Jeff and Dave from Aspect contributed greatly to the formation and early
years of OWASP, contributing many of their own materials that are the basis
of what most of you consider to be OWASP materials as if these came unbidden
from whole cloth. We all stand on the shoulders of giants, including one
6'7" tall giant. I consider them friends, and I had a great time living in
the US whilst working for them. Does this make me biased? You betchya.

Correlation is not causation. You can't hire secure coding ninjas without
hiring someone who has a longish history with OWASP even if that history is
not precisely with OWASP. Christian correctly points out that Trustwave has
this exalted position right now because they've been hiring anyone with a
pulse who can spell "code review", and guess what, they hired OWASP project
leads and other ninjas, too. And accidentally a few zombies, because they
forgot to take their pulse before doing reference checks on Linked In but
not noticing their interest in brains along with a mandatory lolcats quota.

It's not surprising that at least a few long term project leaders /
contributors would be involved in committees or the board. Does this mean
OWASP is a stooge to vested interests? No one bothered to send me the memo
for sure. Not then, not now. The idea is ludicrous. I had to register as an
honorary member three times just so I could vote.
Organizations who can't keep a good record of project leads have no chance
of being led successfully by an underground secret cabal. The very idea of a
secret cabal leading OWASP (or this project!) makes me smile a big broad
grin whilst feeling sad for those who think there is such a thing. Cat
herding at its finest. If Mark Curphey couldn't do it three times, what
chance has anyone else got?

Seriously, firms are encouraged to make fees from performing services based
off freely available OWASP materials. This is the services model that
underpins the open source community. No one is forced to buy from you, and
if someone else does a better job, then they get the work.
Many DAST tools offer "OWASP Top 10" scans. Does anyone ping IBM or HP or
... or ... for making money off OWASP materials? No, of course not.
Would I like to see IBM or HP offer to help WASC or OWASP more in terms of
contributing people to projects like Aspect or Trustwave do?
You betchya.

People use open source licensed OWASP materials in a way that constantly
surprises and amazes me. As a content creator who gives away his effort in
the hope it will be used, there's no higher reward.
Why the double standard for Aspect or Trustwave? I don't think it really
matters. Those who contribute are feted and promoted as per every other open
source project. I bet WASC is no different.

I wish the WASC guys and the WAFEC effort all the very best. They do good
work on an important topic, and those who do stuff ... win. I look forward
to seeing it finished and widely adopted.

Good luck folks!


wasc-wafec mailing list
wasc-wafec at lists.webappsec.org

More information about the wasc-wafec mailing list