[WASC-WAFEC] Question about WAFEC.

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Jun 19 22:16:46 EDT 2014


On Fri, Jun 20, 2014 at 3:01 AM, Robert A. <robert at webappsec.org> wrote:
> Christian,
> At WASC we are ok with individuals representing themselves however they
> want, and in fact if they work at a vendor/services provider encourage the
> disclosure.
> Really there isn't a 'conflict of interest' for project contributors. If there arises
> an issue it is up to the project leader to resolve openly on the list. The only real > area where 'conflict of interest' exists, is when it comes to project leadership. A > project leader/leaders CAN NOT lead a project if there is a conflict of interest
> (employer, personal product or service, etc). This is one of the things WASC
> has been good at enforcing,
> and will continue to do so to ensure no bias.

I have no doubt that Klaubert will make a significant contribution to
WAFEC based on his end user experience with ModSecurity but I want to
establish a code of conduct that is applicable, known and fair to
contributors beforehand so that WASC can avoid incidents related to
favouritism which are reoccur time and time again within OWASP i.e.
(I noticed that Dinis Cruz deleted my comment to this Blog Post), etc

The other issue that I am attempting to manage is the unsubstantiated
rumour that WASC Project are nothing more than direct vendor promotion
e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html

I myself have no involvement within WAF technology at the moment as I
lost my job as an end user managing a WAF because I refused to endorse
vendor x over vendor y, a situation that could have avoided with the
application of WAFEC.

If two parties diff on their opinion then I will forward it to Ofer
for moderation because he is extremely fair and not associated with a
WAF vendor.

Christian Heinrich


More information about the wasc-wafec mailing list