[WASC-WAFEC] Imperva WTF Tool

Tony Turner tony.turner at owasp.org
Fri Nov 20 21:03:38 EST 2015


OK, let me try this again Christian because I didn't see all your libelous
accusations below.

On Nov 20, 2015 4:53 PM, "Christian Heinrich" <christian.heinrich at cmlh.id.au>
wrote:

> Tony,
>
> I find the publication of your e-mail sent on a Friday evening (USA
> timezone) is intended to "fly under the radar".
>

I've already stated this was a 9:40 AM email for me. Not exactly hiding
anything


>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > In the interest of full disclosure I wanted to announce to the list that
> > Mark Kraynak and Amichai Shulman of Imperva have provided us with the
> source
> > code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
> as a
> > WAFEC tool, but to utilize as guide for the development of a separate
> > independent tool. It will likely be a very different tool and I want to
> > reiterate that we are not intending to re-release any of their work
> effort
> > without significant rework or at the very least, a comprehensive review.
> At
> > this time I don't know exactly what that will look like as we have not
> > gathered requirements yet.
>
> This a conflict of interest that you have not disclosed as you:
> - Haven't "... gathered requirements yet" which will now be
> subsequently influenced by Imperva
>

No they will not. You are making unfounded assumptions. I do have a loose
set of requirements in my head but WAFEC has not officially documented the
list of requirements. That is the process. Not me looking at Imperva's WTF
tool and laying out a roadmap that aligns with that. Any pre-development
work will start with the  a structured set of requirements that the
community will get a commentary period on.


> - Provided perferrental treatment to a vendor that has a relationship
> with your employer
>
> http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254


Yup, my employer works with just about any decent security vendor that
customers might want to buy a product with that we happen to have had
occasion to deal with. I was transparent about my employer before I took
over WAFEC. As you noted in your response, it's a rather large list of
vendors.

(dated days ago) and exluded bodies of work i.e.
>
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html


I have not excluded any bodies of work. i did not receive sufficient
response on my query to be noteworthy at that time. Lot's of people telling
me it was a great idea, nobody that actually wanted to contribute anything.



>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > Some of the logic and structure may remain, but I wanted to make sure
> there
> > was transparency around this resource for WAFEC. If there are those on
> this
> > list who have an interest in being actively involved in the development
> of
> > this new toolset or have specific requirements you would like the tool to
> > address, please shoot me an email and I'll get you added to the
> development
> > team, or at the very least get your requests added to the list. If you
> are a
> > vendor, and have specific concerns about this approach, please let me
> know.
> > I'd love to get your feedback.
>
> I consider this a breach of
> https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
> i.e. the source code should be available under an applicable FOSS
> license.
>

What source code? Imperva's? Go talk to them if you have an issue with
their licensing. WAFEC does not have source code to actually be in
violation of any license. We have not yet started development. i simply
accepted Imperva's offer for the sharing of their source code.


>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > I don't intend to ramp up dev efforts for a few more months, at least not
> > until the actual criteria are more well defined for the next version but
> I
> > wanted to get the ball rolling so we can start gathering requirements and
> > head off any concerns in advance of actual dev work starting. Lastly, we
> > will not release any tool publically as an official WAFEC deliverable
> until
> > all members of the vendor subgroup have had a chance to review it.
>
> At BlackHat USA (August 2015) you alluded to the creation of a
> consolidating all contribution into a single Google Document i.e. 6 of
>
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
>
> Can I please have access to this Google Doc(s) ASAP?


The document was worked on at AppSecUSA WAFEC Workshop with Raphael
Chileshe of Radware. Why only Radware you might ask? Because nobody else
showed up. The invitation was open to all. He did not make any changes to
the core document, and the crux of our efforts was a reorganization of
content and roadmap realignment and then general conversation around the
project. I'll be happy to provide a link for any contributor who wishes it,
but at this point I'm not really ready to post it publicly for comment yet.

If not, then it
> is reasonable to infer that you have made not effort to deliver over
> three months.


I'm a busy man. I work a lot of hours and have a family as well. I'm
aligned with the roadmap we posted at the OWASP wiki and the project is
moving. Slowly, but moving.


> Rather, WAFEC has been used to promote the business
> interests of GuidePoint Security (your employer) in addition to other
> marketing, such as
> https://twitter.com/guidepointsec/status/656090183125835778 dated 15
> October 2015.
>
>
I run WAF services offerings for my employer. I don't sell products. I
don't get commission for products. My association with open source projects
that are relevant to the professional services my company and i provide,
brings insight for customers who want to understand who it is they are
doing business with. There are no OWASP or WASC branded logos on our blog.
We do not claim to have an OWASP or WASC authorized or approved product or
service. My association with WAFEC is not a secret, nor should it be. My
employer graciously allows me to use their time (when I'm not billing) to
work on WAFEC. I don't see any issue here with daring to mention my
involvement with an open source project focused on WAF when stating
credentials for a blog post on WAF best practices.

Neither are vendors to influence WAFEC due to their conflict of
> interest.  Hence, the requirement that the leader of this project is
> an end user (consumer) of WAF products and not a reseller.
>

That was not a requirement and I clearly stated my affiliations before
taking over the project. There were no objections then.


>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > If you are a WAF vendor and wish to be added to the vendor subgroup,
> please
> > shoot me an email with your contact information and role. We are not
> > excluding any vendor from this process.
>
> It would defy belief that you have not at least attempted to make
> contact with the other WAF vendors but then again GuidePoint Security
> do not have a reseller agreement wtih these other vendors.
>

I also physically visited tradeshow booths at Black Hat for A10 (who we
resell) and Citrix (who we resell) and did not receive sufficient
information from them to facilitate a relationship with WAFEC. I'm still
open to conversations there. I am very disconnected from the VAR sales
cycle at GuidePoint and do not have the vendor relationships you think I do.

>
> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
> wrote:
> > As of this time, the following vendors are represented on our vendor
> > subgroup:
> >
> > Verizon

> Radware
> > Ergon
> > Cdnetworks
> > Imperva
> > F5
> > Sentrix
>
> A majority of these are replicated from
> http://www.guidepointsecurity.com/vendors


 2 out of 7 vendors is hardly a majority


>
> In conclusion, in light of the recent promotional activies of
> GuidePoint Security and Imperva and others such as
> https://twitter.com/guidepointsec/status/656090183125835778 and if you
> are unable to provide access to the Google Doc that we discussed at
> BlackHat and the source code, then I respectively request that you
> resign from this project due to these ongoing conflicts of interest
> with GuidePoint Security?
>

I will provide access to the doc for contributors. Contributors are part of
my team. Anyone else will have to satisfy themselves with the previously
published version until we are prepared for comment. I assure you we will
not publish anything without an acceptable review period.

There is no source code.

Lastly, No.

This is the only time I will ever respond to one of these Christian. I gave
you a chance against the advice of many who spoke against you because I
know how passion can sometimes be misconstrued. Please don't make me regret
that decision. You can consider this my first and only warning.


>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact




On Fri, Nov 20, 2015 at 7:19 PM, Tony Turner <tony at sentinel24.com> wrote:

> I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
> that restricts when I can send an email. I'm a volunteer, I'll work on
> WAFEC when I have the time, even late on a Friday should I choose.
> On Nov 20, 2015 4:53 PM, "Christian Heinrich" <
> christian.heinrich at cmlh.id.au> wrote:
>
>> Tony,
>>
>> I find the publication of your e-mail sent on a Friday evening (USA
>> timezone) is intended to "fly under the radar".
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > In the interest of full disclosure I wanted to announce to the list that
>> > Mark Kraynak and Amichai Shulman of Imperva have provided us with the
>> source
>> > code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
>> as a
>> > WAFEC tool, but to utilize as guide for the development of a separate
>> > independent tool. It will likely be a very different tool and I want to
>> > reiterate that we are not intending to re-release any of their work
>> effort
>> > without significant rework or at the very least, a comprehensive
>> review. At
>> > this time I don't know exactly what that will look like as we have not
>> > gathered requirements yet.
>>
>> This a conflict of interest that you have not disclosed as you:
>> - Haven't "... gathered requirements yet" which will now be
>> subsequently influenced by Imperva
>> - Provided perferrental treatment to a vendor that has a relationship
>> with your employer
>>
>> http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
>> (dated days ago) and exluded bodies of work i.e.
>>
>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > Some of the logic and structure may remain, but I wanted to make sure
>> there
>> > was transparency around this resource for WAFEC. If there are those on
>> this
>> > list who have an interest in being actively involved in the development
>> of
>> > this new toolset or have specific requirements you would like the tool
>> to
>> > address, please shoot me an email and I'll get you added to the
>> development
>> > team, or at the very least get your requests added to the list. If you
>> are a
>> > vendor, and have specific concerns about this approach, please let me
>> know.
>> > I'd love to get your feedback.
>>
>> I consider this a breach of
>> https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
>> i.e. the source code should be available under an applicable FOSS
>> license.
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > I don't intend to ramp up dev efforts for a few more months, at least
>> not
>> > until the actual criteria are more well defined for the next version
>> but I
>> > wanted to get the ball rolling so we can start gathering requirements
>> and
>> > head off any concerns in advance of actual dev work starting. Lastly, we
>> > will not release any tool publically as an official WAFEC deliverable
>> until
>> > all members of the vendor subgroup have had a chance to review it.
>>
>> At BlackHat USA (August 2015) you alluded to the creation of a
>> consolidating all contribution into a single Google Document i.e. 6 of
>>
>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
>>
>> Can I please have access to this Google Doc(s) ASAP?  If not, then it
>> is reasonable to infer that you have made not effort to deliver over
>> three months.  Rather, WAFEC has been used to promote the business
>> interests of GuidePoint Security (your employer) in addition to other
>> marketing, such as
>> https://twitter.com/guidepointsec/status/656090183125835778 dated 15
>> October 2015.
>>
>> Neither are vendors to influence WAFEC due to their conflict of
>> interest.  Hence, the requirement that the leader of this project is
>> an end user (consumer) of WAF products and not a reseller.
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > If you are a WAF vendor and wish to be added to the vendor subgroup,
>> please
>> > shoot me an email with your contact information and role. We are not
>> > excluding any vendor from this process.
>>
>> It would defy belief that you have not at least attempted to make
>> contact with the other WAF vendors but then again GuidePoint Security
>> do not have a reseller agreement wtih these other vendors.
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > As of this time, the following vendors are represented on our vendor
>> > subgroup:
>> >
>> > Verizon
>> > Radware
>> > Ergon
>> > Cdnetworks
>> > Imperva
>> > F5
>> > Sentrix
>>
>> A majority of these are replicated from
>> http://www.guidepointsecurity.com/vendors
>>
>> In conclusion, in light of the recent promotional activies of
>> GuidePoint Security and Imperva and others such as
>> https://twitter.com/guidepointsec/status/656090183125835778 and if you
>> are unable to provide access to the Google Doc that we discussed at
>> BlackHat and the source code, then I respectively request that you
>> resign from this project due to these ongoing conflicts of interest
>> with GuidePoint Security?
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>>
>> _______________________________________________
>> wasc-wafec mailing list
>> wasc-wafec at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>>
>


-- 
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org
https://www.owasp.org/index.php/Orlando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20151120/d992f4f9/attachment-0003.html>


More information about the wasc-wafec mailing list