[WASC-WAFEC] Question about WAFEC.

Robert A. robert at webappsec.org
Thu Jun 19 13:01:33 EDT 2014

> I have made the assumption that:
> 1. Your an experienced end user of ModSecurity i.e.
> http://br.linkedin.com/pub/klaubert-herr/51/b58/128
> 2. ... and also the developer of http://waf-fle.org/about/ i.e. a
> ModSecurity Console which is GNUv3 licensed i.e.
> https://github.com/klaubert/waf-fle/blob/master/LICENSE
> I am seeking end users i.e. 1. above
> Therefore, the conflict of interest would be 2. which could be
> resolved if the other developers of competing ModSecurity Console(s),
> such as http://www.jwall.org/, etc.
> If this can't be resolved without dispute then I could credit your
> [accepted] contribution as a ModSecurity "Independent Developer" (i.e.
> not the vendor Trustwave) since I would like to declare any possible
> bias, even unintended, within WAFECv2
> The "Independent Developer" classification is different from the
> contributions made by vendors themselves such as Imperva, Trustwave
> and possibly https://www.ironbee.com/ i.e. Qualys, etc.
> I have no issue if you would like to highlight that you contributed x,
> y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
> to click a link which would also provide a list of other possible
> solution(s) that adhered to x, y and z of which the other vendors
> would have to undertake their own evaluation with an independent
> testing authority.

At WASC we are ok with individuals representing themselves however they 
want, and in fact if they work at a vendor/services provider encourage the 

Really there isn't a 'conflict of interest' for project contributors. If 
there arises an issue it is up to the project leader to resolve openly on 
the list. The only real area where 'conflict of interest' exists, is when 
it comes to project leadership. A project leader/leaders CAN NOT lead a 
project if there is a conflict of interest (employer, personal product 
or service, etc). This is one of the things WASC has been good at enforcing,
and will continue to do so to ensure no bias.

Robert Auger
WASC Co Founder/WASC Officer

> Does this seem reasonable?
> On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
> <klaubert at gmail.com> wrote:
>> Christian,
>> If is good to you, I'd like to join you to complete and review the WAFEC (I
>> have missed your last mail, sorry to not answer before).
>> And I expect to have some time in this months too.
>> Best regards,
>> Klaubert Herr
>> http://waf-fle.org
>> On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
>> <christian.heinrich at cmlh.id.au> wrote:
>>> Ofer,
>>> Achim has also offered to assist.
>>> It would appear that I have some spare cycles over July and August so
>>> I would like to kick off then.
>>> Is WASC and the community ok with this?
>>> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
>>> <christian.heinrich at cmlh.id.au> wrote:
>>>> Ofer,
>>>> I would like to see WAFEC v2 released in 2014 and would like to share
>>>> leadership with two (or more) end users for objectivity?
>>>> I would like to see the other people volunteering commit to reviewing
>>>> the mail archive from the kick off onwards i.e.
>>>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
>>>> onwards as this has captured a lot of knowledge on the content
>>>> proposed for v2.
>>>> Is there a formal process defined within
>>>> http://www.webappsec.org/aboutus.shtml or elsewhere?
>>>> On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>>>> I guess that after a year or more of little progress, I need to admit
>>>>> that
>>>>> we have stalled. The information as it appears on the OWASP project
>>>>> page
>>>>> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I
>>>>> have a
>>>>> bit more which was submitted and is waiting for publication for review,
>>>>> but
>>>>> nothing significant. While it is always high on my to do list, it is
>>>>> never
>>>>> high enough. WAFs and application security in general are not my day
>>>>> work
>>>>> but just a hobby and this has its toll. I think that project certainly
>>>>> need
>>>>> someone fresh to take over. Any volunteer?
>>> --
>>> Regards,
>>> Christian Heinrich
>>> http://cmlh.id.au/contact
>>> _______________________________________________
>>> wasc-wafec mailing list
>>> wasc-wafec at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
> -- 
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

More information about the wasc-wafec mailing list