[WASC-WAFEC] Imperva WTF Tool

Tony Turner tony at sentinel24.com
Fri Nov 20 19:19:59 EST 2015


I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
that restricts when I can send an email. I'm a volunteer, I'll work on
WAFEC when I have the time, even late on a Friday should I choose.
On Nov 20, 2015 4:53 PM, "Christian Heinrich" <christian.heinrich at cmlh.id.au>
wrote:

> Tony,
>
> I find the publication of your e-mail sent on a Friday evening (USA
> timezone) is intended to "fly under the radar".
>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > In the interest of full disclosure I wanted to announce to the list that
> > Mark Kraynak and Amichai Shulman of Imperva have provided us with the
> source
> > code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
> as a
> > WAFEC tool, but to utilize as guide for the development of a separate
> > independent tool. It will likely be a very different tool and I want to
> > reiterate that we are not intending to re-release any of their work
> effort
> > without significant rework or at the very least, a comprehensive review.
> At
> > this time I don't know exactly what that will look like as we have not
> > gathered requirements yet.
>
> This a conflict of interest that you have not disclosed as you:
> - Haven't "... gathered requirements yet" which will now be
> subsequently influenced by Imperva
> - Provided perferrental treatment to a vendor that has a relationship
> with your employer
>
> http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
> (dated days ago) and exluded bodies of work i.e.
>
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > Some of the logic and structure may remain, but I wanted to make sure
> there
> > was transparency around this resource for WAFEC. If there are those on
> this
> > list who have an interest in being actively involved in the development
> of
> > this new toolset or have specific requirements you would like the tool to
> > address, please shoot me an email and I'll get you added to the
> development
> > team, or at the very least get your requests added to the list. If you
> are a
> > vendor, and have specific concerns about this approach, please let me
> know.
> > I'd love to get your feedback.
>
> I consider this a breach of
> https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
> i.e. the source code should be available under an applicable FOSS
> license.
>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > I don't intend to ramp up dev efforts for a few more months, at least not
> > until the actual criteria are more well defined for the next version but
> I
> > wanted to get the ball rolling so we can start gathering requirements and
> > head off any concerns in advance of actual dev work starting. Lastly, we
> > will not release any tool publically as an official WAFEC deliverable
> until
> > all members of the vendor subgroup have had a chance to review it.
>
> At BlackHat USA (August 2015) you alluded to the creation of a
> consolidating all contribution into a single Google Document i.e. 6 of
>
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
>
> Can I please have access to this Google Doc(s) ASAP?  If not, then it
> is reasonable to infer that you have made not effort to deliver over
> three months.  Rather, WAFEC has been used to promote the business
> interests of GuidePoint Security (your employer) in addition to other
> marketing, such as
> https://twitter.com/guidepointsec/status/656090183125835778 dated 15
> October 2015.
>
> Neither are vendors to influence WAFEC due to their conflict of
> interest.  Hence, the requirement that the leader of this project is
> an end user (consumer) of WAF products and not a reseller.
>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > If you are a WAF vendor and wish to be added to the vendor subgroup,
> please
> > shoot me an email with your contact information and role. We are not
> > excluding any vendor from this process.
>
> It would defy belief that you have not at least attempted to make
> contact with the other WAF vendors but then again GuidePoint Security
> do not have a reseller agreement wtih these other vendors.
>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > As of this time, the following vendors are represented on our vendor
> > subgroup:
> >
> > Verizon
> > Radware
> > Ergon
> > Cdnetworks
> > Imperva
> > F5
> > Sentrix
>
> A majority of these are replicated from
> http://www.guidepointsecurity.com/vendors
>
> In conclusion, in light of the recent promotional activies of
> GuidePoint Security and Imperva and others such as
> https://twitter.com/guidepointsec/status/656090183125835778 and if you
> are unable to provide access to the Google Doc that we discussed at
> BlackHat and the source code, then I respectively request that you
> resign from this project due to these ongoing conflicts of interest
> with GuidePoint Security?
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20151120/e814c751/attachment-0003.html>


More information about the wasc-wafec mailing list