[WASC-WAFEC] Imperva WTF Tool

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Nov 20 16:51:59 EST 2015


Tony,

I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".

On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org> wrote:
> In the interest of full disclosure I wanted to announce to the list that
> Mark Kraynak and Amichai Shulman of Imperva have provided us with the source
> code for the Imperva WTF WAF testing tool. Out intent is not to rebrand as a
> WAFEC tool, but to utilize as guide for the development of a separate
> independent tool. It will likely be a very different tool and I want to
> reiterate that we are not intending to re-release any of their work effort
> without significant rework or at the very least, a comprehensive review. At
> this time I don't know exactly what that will look like as we have not
> gathered requirements yet.

This a conflict of interest that you have not disclosed as you:
- Haven't "... gathered requirements yet" which will now be
subsequently influenced by Imperva
- Provided perferrental treatment to a vendor that has a relationship
with your employer
http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
(dated days ago) and exluded bodies of work i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html

On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org> wrote:
> Some of the logic and structure may remain, but I wanted to make sure there
> was transparency around this resource for WAFEC. If there are those on this
> list who have an interest in being actively involved in the development of
> this new toolset or have specific requirements you would like the tool to
> address, please shoot me an email and I'll get you added to the development
> team, or at the very least get your requests added to the list. If you are a
> vendor, and have specific concerns about this approach, please let me know.
> I'd love to get your feedback.

I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.

On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org> wrote:
> I don't intend to ramp up dev efforts for a few more months, at least not
> until the actual criteria are more well defined for the next version but I
> wanted to get the ball rolling so we can start gathering requirements and
> head off any concerns in advance of actual dev work starting. Lastly, we
> will not release any tool publically as an official WAFEC deliverable until
> all members of the vendor subgroup have had a chance to review it.

At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html

Can I please have access to this Google Doc(s) ASAP?  If not, then it
is reasonable to infer that you have made not effort to deliver over
three months.  Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.

Neither are vendors to influence WAFEC due to their conflict of
interest.  Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.

On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org> wrote:
> If you are a WAF vendor and wish to be added to the vendor subgroup, please
> shoot me an email with your contact information and role. We are not
> excluding any vendor from this process.

It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.

On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org> wrote:
> As of this time, the following vendors are represented on our vendor
> subgroup:
>
> Verizon
> Radware
> Ergon
> Cdnetworks
> Imperva
> F5
> Sentrix

A majority of these are replicated from
http://www.guidepointsecurity.com/vendors

In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list