[WASC-WAFEC] Question about WAFEC.

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Jun 19 00:29:00 EDT 2014


I have made the assumption that:

1. Your an experienced end user of ModSecurity i.e.

2. ... and also the developer of http://waf-fle.org/about/ i.e. a
ModSecurity Console which is GNUv3 licensed i.e.

I am seeking end users i.e. 1. above

Therefore, the conflict of interest would be 2. which could be
resolved if the other developers of competing ModSecurity Console(s),
such as http://www.jwall.org/, etc.

If this can't be resolved without dispute then I could credit your
[accepted] contribution as a ModSecurity "Independent Developer" (i.e.
not the vendor Trustwave) since I would like to declare any possible
bias, even unintended, within WAFECv2

The "Independent Developer" classification is different from the
contributions made by vendors themselves such as Imperva, Trustwave
and possibly https://www.ironbee.com/ i.e. Qualys, etc.

I have no issue if you would like to highlight that you contributed x,
y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
to click a link which would also provide a list of other possible
solution(s) that adhered to x, y and z of which the other vendors
would have to undertake their own evaluation with an independent
testing authority.

Does this seem reasonable?

On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
<klaubert at gmail.com> wrote:
> Christian,
> If is good to you, I'd like to join you to complete and review the WAFEC (I
> have missed your last mail, sorry to not answer before).
> And I expect to have some time in this months too.
> Best regards,
> Klaubert Herr
> http://waf-fle.org
> On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
> <christian.heinrich at cmlh.id.au> wrote:
>> Ofer,
>> Achim has also offered to assist.
>> It would appear that I have some spare cycles over July and August so
>> I would like to kick off then.
>> Is WASC and the community ok with this?
>> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
>> <christian.heinrich at cmlh.id.au> wrote:
>> > Ofer,
>> >
>> > I would like to see WAFEC v2 released in 2014 and would like to share
>> > leadership with two (or more) end users for objectivity?
>> >
>> > I would like to see the other people volunteering commit to reviewing
>> > the mail archive from the kick off onwards i.e.
>> >
>> > http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
>> > onwards as this has captured a lot of knowledge on the content
>> > proposed for v2.
>> >
>> > Is there a formal process defined within
>> > http://www.webappsec.org/aboutus.shtml or elsewhere?
>> >
>> > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer at shezaf.com> wrote:
>> >> I guess that after a year or more of little progress, I need to admit
>> >> that
>> >> we have stalled. The information as it appears on the OWASP project
>> >> page
>> >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I
>> >> have a
>> >> bit more which was submitted and is waiting for publication for review,
>> >> but
>> >> nothing significant. While it is always high on my to do list, it is
>> >> never
>> >> high enough. WAFs and application security in general are not my day
>> >> work
>> >> but just a hobby and this has its toll. I think that project certainly
>> >> need
>> >> someone fresh to take over. Any volunteer?
>> --
>> Regards,
>> Christian Heinrich
>> http://cmlh.id.au/contact
>> _______________________________________________
>> wasc-wafec mailing list
>> wasc-wafec at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

Christian Heinrich


More information about the wasc-wafec mailing list