[WASC-WAFEC] Question about WAFEC.

Klaubert Herr da Silveira klaubert at gmail.com
Fri Jun 20 00:08:57 EDT 2014


Christian,

I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be too
partial and lost the practical focus need by evaluators.

Acting mainly as consultant and end user (using open source and commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.

I expect avoid any biased judgement or conflict of interest, as always do.
I raised my hand in your call with my end user side in mind, but I am a
developer too.

I agree that checks and balances are needed to avoid biased opinion (when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not because
is trying to privilege the product. And all member (mainly those do writing
and make the revision) of WAFEC must be committed to avoid this.

How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As I
have no affiliation with any vendor or reseller, I speak by myself.

I understand your care, and respect this. And I'd like to contribute more
to WAFEC, in my best.

Best regards,

Klaubert Herr


Em 19/06/2014 01:29, "Christian Heinrich" <christian.heinrich at cmlh.id.au>
escreveu:

> Klaubert,
>
> I have made the assumption that:
>
> 1. Your an experienced end user of ModSecurity i.e.
> http://br.linkedin.com/pub/klaubert-herr/51/b58/128
>
> 2. ... and also the developer of http://waf-fle.org/about/ i.e. a
> ModSecurity Console which is GNUv3 licensed i.e.
> https://github.com/klaubert/waf-fle/blob/master/LICENSE
>
> I am seeking end users i.e. 1. above
>
> Therefore, the conflict of interest would be 2. which could be
> resolved if the other developers of competing ModSecurity Console(s),
> such as http://www.jwall.org/, etc.
>
> If this can't be resolved without dispute then I could credit your
> [accepted] contribution as a ModSecurity "Independent Developer" (i.e.
> not the vendor Trustwave) since I would like to declare any possible
> bias, even unintended, within WAFECv2
>
> The "Independent Developer" classification is different from the
> contributions made by vendors themselves such as Imperva, Trustwave
> and possibly https://www.ironbee.com/ i.e. Qualys, etc.
>
> I have no issue if you would like to highlight that you contributed x,
> y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
> to click a link which would also provide a list of other possible
> solution(s) that adhered to x, y and z of which the other vendors
> would have to undertake their own evaluation with an independent
> testing authority.
>
> Does this seem reasonable?
>
> On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
> <klaubert at gmail.com> wrote:
> > Christian,
> >
> > If is good to you, I'd like to join you to complete and review the WAFEC
> (I
> > have missed your last mail, sorry to not answer before).
> > And I expect to have some time in this months too.
> >
> > Best regards,
> >
> > Klaubert Herr
> > http://waf-fle.org
> >
> >
> > On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
> > <christian.heinrich at cmlh.id.au> wrote:
> >>
> >> Ofer,
> >>
> >> Achim has also offered to assist.
> >>
> >> It would appear that I have some spare cycles over July and August so
> >> I would like to kick off then.
> >>
> >> Is WASC and the community ok with this?
> >>
> >> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
> >> <christian.heinrich at cmlh.id.au> wrote:
> >> > Ofer,
> >> >
> >> > I would like to see WAFEC v2 released in 2014 and would like to share
> >> > leadership with two (or more) end users for objectivity?
> >> >
> >> > I would like to see the other people volunteering commit to reviewing
> >> > the mail archive from the kick off onwards i.e.
> >> >
> >> >
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
> >> > onwards as this has captured a lot of knowledge on the content
> >> > proposed for v2.
> >> >
> >> > Is there a formal process defined within
> >> > http://www.webappsec.org/aboutus.shtml or elsewhere?
> >> >
> >> > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer at shezaf.com> wrote:
> >> >> I guess that after a year or more of little progress, I need to admit
> >> >> that
> >> >> we have stalled. The information as it appears on the OWASP project
> >> >> page
> >> >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I
> >> >> have a
> >> >> bit more which was submitted and is waiting for publication for
> review,
> >> >> but
> >> >> nothing significant. While it is always high on my to do list, it is
> >> >> never
> >> >> high enough. WAFs and application security in general are not my day
> >> >> work
> >> >> but just a hobby and this has its toll. I think that project
> certainly
> >> >> need
> >> >> someone fresh to take over. Any volunteer?
> >>
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Christian Heinrich
> >>
> >> http://cmlh.id.au/contact
> >>
> >> _______________________________________________
> >> wasc-wafec mailing list
> >> wasc-wafec at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
> >
> >
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20140620/c8a649c4/attachment-0003.html>


More information about the wasc-wafec mailing list