[WASC-WAFEC] AWS WAF

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Oct 9 23:06:00 EDT 2015


Tony,

On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> My responses inline below Christian, I don't necessarily agree with your
> assessment
> This distrust has to do with lack of transparency and use of a benchmark by
> a commercial entity before it is a mature framework. Don't confuse the
> issues with your bias against OWASP by making inflammatory statements out of
> context. I'm very aware of the issues and do not intend to repeat those
> mistakes.

I have not been involved in the recent public discussion at all about
the OWASP Benchmark Project so I am unaware how I could have
influenced this incident due to a perceived bias?

However, we did discuss the paid inclusion of  A9 of the OWASP Top Ten
2013 Release and the detrimental effect on your proposed CFV at
BlackHat USA 2015 and this same vendor has been caught again after not
even two months have passed since our discussion.

On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> I'm not quite sure what issue you are having here. Please elaborate. I do
> not intend for WAFEC to perform evaluations. Its simply a framework and set
> of tools for vendors, independent testing entities and consumers to conduct
> their own evaluations. It should be designed for consistency and flexibility
> to map as closely as possible to the unique scenario it is being used to
> evaluate.

I was willing to give your CFV proposal the benefit of the doubt
(hence I made no comment in the published minutes) and while I
understand these issues are outside of your control my recommendation
is to defer CFV until OWASP has published their determination against
the vendor.

On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> Lack of weighting makes all criteria equally important. For the purpose of a
> generic evaluation, that's fine but that does not map to how consumers need
> to use evaluation tools. Not all implementations are the same, not all
> requirements are the same and not all consumers will consider criteria with
> the exact same weight. I'm sorry but I strongly disagree with you here. I'm
> not talking about setting weights, I'm talking about providing the
> flexibility for the user of the tool to set their own weights. Please
> provide concrete examples of how you find this to be problematic.

I have no issue with the end user making their own independent
decision [on weighting] but I disagree WAFEC should be proposing a
scheme about weighing that influences the end user in making the wrong
decision in hindsight.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list