[WASC-WAFEC] Imperva WTF Tool

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Nov 20 21:55:25 EST 2015


Tony,

On Sat, Nov 21, 2015 at 1:03 PM, Tony Turner <tony.turner at owasp.org> wrote:
> This is the only time I will ever respond to one of these Christian. I gave
> you a chance against the advice of many who spoke against you because I know
> how passion can sometimes be misconstrued. Please don't make me regret that
> decision. You can consider this my first and only warning.

This is untrue and has been proven time and time again to be false by
OWASP Board Members such as:

1. Jim Manico who stated "I think he really was attacked in many ways"
within https://lists.owasp.org/pipermail/owasp-leaders/2012-July/007468.html

2. Josh Sokol who stated that Dinis Cruz "chastised an active project
leader for doing what it appears that several others were also doing
at the time, potentially furthered personal biases, created negative
feelings between Christian and OWASP, and just
generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
has been allowed to linger for so long as it just perpetuates the
things that we've done wrong," within
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html

OWASP retraction itself is available from
https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project

It is well known that the ulterior motive the OWASP Members who have
made these false character references against me is to divert
attention away from the discovery of their own corruption when relying
on biases witnesses such as
http://www.abc.net.au/news/2015-11-02/police-anti-fraud-project-subject-of-corruption-probe/6904914
http://www.theregister.co.uk/2015/11/02/tech_sponsored_qld_police_project_queried_by_corruption_probe/
http://www.theaustralian.com.au/business/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
etc

Therefore, can you retract your character reference as it is false?

You are more then welcome to provide the names of the parties you have
spoken to about me so I can follow up with them too?

If you unable to provide access to the source code from Imperva and
the Google Doc (in violation of OWASP's own policies) then I would
like to have the management of WAFEC transferred back to me as I have
an extensive public record of contributing to this project and no
affiliation to a vendor or reseller.

I have no issue in continuing to work with you and/or OWASP in the
development of WAFEC during and after the transition of this project's
management.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

On Sat, Nov 21, 2015 at 1:03 PM, Tony Turner <tony.turner at owasp.org> wrote:
> OK, let me try this again Christian because I didn't see all your libelous
> accusations below.
>
> On Nov 20, 2015 4:53 PM, "Christian Heinrich"
> <christian.heinrich at cmlh.id.au> wrote:
>>
>> Tony,
>>
>> I find the publication of your e-mail sent on a Friday evening (USA
>> timezone) is intended to "fly under the radar".
>
>
> I've already stated this was a 9:40 AM email for me. Not exactly hiding
> anything
>
>>
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > In the interest of full disclosure I wanted to announce to the list that
>> > Mark Kraynak and Amichai Shulman of Imperva have provided us with the
>> > source
>> > code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
>> > as a
>> > WAFEC tool, but to utilize as guide for the development of a separate
>> > independent tool. It will likely be a very different tool and I want to
>> > reiterate that we are not intending to re-release any of their work
>> > effort
>> > without significant rework or at the very least, a comprehensive review.
>> > At
>> > this time I don't know exactly what that will look like as we have not
>> > gathered requirements yet.
>>
>> This a conflict of interest that you have not disclosed as you:
>> - Haven't "... gathered requirements yet" which will now be
>> subsequently influenced by Imperva
>
>
> No they will not. You are making unfounded assumptions. I do have a loose
> set of requirements in my head but WAFEC has not officially documented the
> list of requirements. That is the process. Not me looking at Imperva's WTF
> tool and laying out a roadmap that aligns with that. Any pre-development
> work will start with the  a structured set of requirements that the
> community will get a commentary period on.
>
>>
>> - Provided perferrental treatment to a vendor that has a relationship
>> with your employer
>>
>> http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
>
>
> Yup, my employer works with just about any decent security vendor that
> customers might want to buy a product with that we happen to have had
> occasion to deal with. I was transparent about my employer before I took
> over WAFEC. As you noted in your response, it's a rather large list of
> vendors.
>
>> (dated days ago) and exluded bodies of work i.e.
>>
>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
>
>
> I have not excluded any bodies of work. i did not receive sufficient
> response on my query to be noteworthy at that time. Lot's of people telling
> me it was a great idea, nobody that actually wanted to contribute anything.
>
>>
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > Some of the logic and structure may remain, but I wanted to make sure
>> > there
>> > was transparency around this resource for WAFEC. If there are those on
>> > this
>> > list who have an interest in being actively involved in the development
>> > of
>> > this new toolset or have specific requirements you would like the tool
>> > to
>> > address, please shoot me an email and I'll get you added to the
>> > development
>> > team, or at the very least get your requests added to the list. If you
>> > are a
>> > vendor, and have specific concerns about this approach, please let me
>> > know.
>> > I'd love to get your feedback.
>>
>> I consider this a breach of
>> https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
>> i.e. the source code should be available under an applicable FOSS
>> license.
>
>
> What source code? Imperva's? Go talk to them if you have an issue with their
> licensing. WAFEC does not have source code to actually be in violation of
> any license. We have not yet started development. i simply accepted
> Imperva's offer for the sharing of their source code.
>
>>
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > I don't intend to ramp up dev efforts for a few more months, at least
>> > not
>> > until the actual criteria are more well defined for the next version but
>> > I
>> > wanted to get the ball rolling so we can start gathering requirements
>> > and
>> > head off any concerns in advance of actual dev work starting. Lastly, we
>> > will not release any tool publically as an official WAFEC deliverable
>> > until
>> > all members of the vendor subgroup have had a chance to review it.
>>
>> At BlackHat USA (August 2015) you alluded to the creation of a
>> consolidating all contribution into a single Google Document i.e. 6 of
>>
>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
>>
>> Can I please have access to this Google Doc(s) ASAP?
>
>
> The document was worked on at AppSecUSA WAFEC Workshop with Raphael Chileshe
> of Radware. Why only Radware you might ask? Because nobody else showed up.
> The invitation was open to all. He did not make any changes to the core
> document, and the crux of our efforts was a reorganization of content and
> roadmap realignment and then general conversation around the project. I'll
> be happy to provide a link for any contributor who wishes it, but at this
> point I'm not really ready to post it publicly for comment yet.
>
>> If not, then it
>> is reasonable to infer that you have made not effort to deliver over
>> three months.
>
>
> I'm a busy man. I work a lot of hours and have a family as well. I'm aligned
> with the roadmap we posted at the OWASP wiki and the project is moving.
> Slowly, but moving.
>
>>
>> Rather, WAFEC has been used to promote the business
>> interests of GuidePoint Security (your employer) in addition to other
>> marketing, such as
>> https://twitter.com/guidepointsec/status/656090183125835778 dated 15
>> October 2015.
>>
>
> I run WAF services offerings for my employer. I don't sell products. I don't
> get commission for products. My association with open source projects that
> are relevant to the professional services my company and i provide, brings
> insight for customers who want to understand who it is they are doing
> business with. There are no OWASP or WASC branded logos on our blog. We do
> not claim to have an OWASP or WASC authorized or approved product or
> service. My association with WAFEC is not a secret, nor should it be. My
> employer graciously allows me to use their time (when I'm not billing) to
> work on WAFEC. I don't see any issue here with daring to mention my
> involvement with an open source project focused on WAF when stating
> credentials for a blog post on WAF best practices.
>
>> Neither are vendors to influence WAFEC due to their conflict of
>> interest.  Hence, the requirement that the leader of this project is
>> an end user (consumer) of WAF products and not a reseller.
>
>
> That was not a requirement and I clearly stated my affiliations before
> taking over the project. There were no objections then.
>
>>
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > If you are a WAF vendor and wish to be added to the vendor subgroup,
>> > please
>> > shoot me an email with your contact information and role. We are not
>> > excluding any vendor from this process.
>>
>> It would defy belief that you have not at least attempted to make
>> contact with the other WAF vendors but then again GuidePoint Security
>> do not have a reseller agreement wtih these other vendors.
>
>
> I also physically visited tradeshow booths at Black Hat for A10 (who we
> resell) and Citrix (who we resell) and did not receive sufficient
> information from them to facilitate a relationship with WAFEC. I'm still
> open to conversations there. I am very disconnected from the VAR sales cycle
> at GuidePoint and do not have the vendor relationships you think I do.
>>
>>
>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>> wrote:
>> > As of this time, the following vendors are represented on our vendor
>> > subgroup:
>> >
>> > Verizon
>>
>> > Radware
>> > Ergon
>> > Cdnetworks
>> > Imperva
>> > F5
>> > Sentrix
>>
>> A majority of these are replicated from
>> http://www.guidepointsecurity.com/vendors
>
>
>  2 out of 7 vendors is hardly a majority
>
>>
>>
>> In conclusion, in light of the recent promotional activies of
>> GuidePoint Security and Imperva and others such as
>> https://twitter.com/guidepointsec/status/656090183125835778 and if you
>> are unable to provide access to the Google Doc that we discussed at
>> BlackHat and the source code, then I respectively request that you
>> resign from this project due to these ongoing conflicts of interest
>> with GuidePoint Security?
>
>
> I will provide access to the doc for contributors. Contributors are part of
> my team. Anyone else will have to satisfy themselves with the previously
> published version until we are prepared for comment. I assure you we will
> not publish anything without an acceptable review period.
>
> There is no source code.
>
> Lastly, No.
>
> This is the only time I will ever respond to one of these Christian. I gave
> you a chance against the advice of many who spoke against you because I know
> how passion can sometimes be misconstrued. Please don't make me regret that
> decision. You can consider this my first and only warning.
>
>>
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>
>
>
>
> On Fri, Nov 20, 2015 at 7:19 PM, Tony Turner <tony at sentinel24.com> wrote:
>>
>> I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
>> that restricts when I can send an email. I'm a volunteer, I'll work on WAFEC
>> when I have the time, even late on a Friday should I choose.
>>
>> On Nov 20, 2015 4:53 PM, "Christian Heinrich"
>> <christian.heinrich at cmlh.id.au> wrote:
>>>
>>> Tony,
>>>
>>> I find the publication of your e-mail sent on a Friday evening (USA
>>> timezone) is intended to "fly under the radar".
>>>
>>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> > In the interest of full disclosure I wanted to announce to the list
>>> > that
>>> > Mark Kraynak and Amichai Shulman of Imperva have provided us with the
>>> > source
>>> > code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
>>> > as a
>>> > WAFEC tool, but to utilize as guide for the development of a separate
>>> > independent tool. It will likely be a very different tool and I want to
>>> > reiterate that we are not intending to re-release any of their work
>>> > effort
>>> > without significant rework or at the very least, a comprehensive
>>> > review. At
>>> > this time I don't know exactly what that will look like as we have not
>>> > gathered requirements yet.
>>>
>>> This a conflict of interest that you have not disclosed as you:
>>> - Haven't "... gathered requirements yet" which will now be
>>> subsequently influenced by Imperva
>>> - Provided perferrental treatment to a vendor that has a relationship
>>> with your employer
>>>
>>> http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
>>> (dated days ago) and exluded bodies of work i.e.
>>>
>>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
>>>
>>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> > Some of the logic and structure may remain, but I wanted to make sure
>>> > there
>>> > was transparency around this resource for WAFEC. If there are those on
>>> > this
>>> > list who have an interest in being actively involved in the development
>>> > of
>>> > this new toolset or have specific requirements you would like the tool
>>> > to
>>> > address, please shoot me an email and I'll get you added to the
>>> > development
>>> > team, or at the very least get your requests added to the list. If you
>>> > are a
>>> > vendor, and have specific concerns about this approach, please let me
>>> > know.
>>> > I'd love to get your feedback.
>>>
>>> I consider this a breach of
>>> https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
>>> i.e. the source code should be available under an applicable FOSS
>>> license.
>>>
>>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> > I don't intend to ramp up dev efforts for a few more months, at least
>>> > not
>>> > until the actual criteria are more well defined for the next version
>>> > but I
>>> > wanted to get the ball rolling so we can start gathering requirements
>>> > and
>>> > head off any concerns in advance of actual dev work starting. Lastly,
>>> > we
>>> > will not release any tool publically as an official WAFEC deliverable
>>> > until
>>> > all members of the vendor subgroup have had a chance to review it.
>>>
>>> At BlackHat USA (August 2015) you alluded to the creation of a
>>> consolidating all contribution into a single Google Document i.e. 6 of
>>>
>>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
>>>
>>> Can I please have access to this Google Doc(s) ASAP?  If not, then it
>>> is reasonable to infer that you have made not effort to deliver over
>>> three months.  Rather, WAFEC has been used to promote the business
>>> interests of GuidePoint Security (your employer) in addition to other
>>> marketing, such as
>>> https://twitter.com/guidepointsec/status/656090183125835778 dated 15
>>> October 2015.
>>>
>>> Neither are vendors to influence WAFEC due to their conflict of
>>> interest.  Hence, the requirement that the leader of this project is
>>> an end user (consumer) of WAF products and not a reseller.
>>>
>>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> > If you are a WAF vendor and wish to be added to the vendor subgroup,
>>> > please
>>> > shoot me an email with your contact information and role. We are not
>>> > excluding any vendor from this process.
>>>
>>> It would defy belief that you have not at least attempted to make
>>> contact with the other WAF vendors but then again GuidePoint Security
>>> do not have a reseller agreement wtih these other vendors.
>>>
>>> On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> > As of this time, the following vendors are represented on our vendor
>>> > subgroup:
>>> >
>>> > Verizon
>>> > Radware
>>> > Ergon
>>> > Cdnetworks
>>> > Imperva
>>> > F5
>>> > Sentrix
>>>
>>> A majority of these are replicated from
>>> http://www.guidepointsecurity.com/vendors
>>>
>>> In conclusion, in light of the recent promotional activies of
>>> GuidePoint Security and Imperva and others such as
>>> https://twitter.com/guidepointsec/status/656090183125835778 and if you
>>> are unable to provide access to the Google Doc that we discussed at
>>> BlackHat and the source code, then I respectively request that you
>>> resign from this project due to these ongoing conflicts of interest
>>> with GuidePoint Security?
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>>
>>> _______________________________________________
>>> wasc-wafec mailing list
>>> wasc-wafec at lists.webappsec.org
>>>
>>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list