[WASC-WAFEC] AWS WAF

Tony Turner tony at sentinel24.com
Sat Oct 10 14:16:41 EDT 2015


I do not intend to delay CFV as I do not feel there is any relevance. This
is not about OWASP and the outcome of that project has nothing to do with
WAFEC. We have taken steps to ensure transparency and mitigate conflict of
interest for vendor contributors and I am confident this will not be an
issue here.  In fact, preventing additional vendors from joining would do
the opposite in favor of established vendor participants.

-Tony
On Oct 9, 2015 11:06 PM, "Christian Heinrich" <christian.heinrich at cmlh.id.au>
wrote:

> Tony,
>
> On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> > My responses inline below Christian, I don't necessarily agree with your
> > assessment
> > This distrust has to do with lack of transparency and use of a benchmark
> by
> > a commercial entity before it is a mature framework. Don't confuse the
> > issues with your bias against OWASP by making inflammatory statements
> out of
> > context. I'm very aware of the issues and do not intend to repeat those
> > mistakes.
>
> I have not been involved in the recent public discussion at all about
> the OWASP Benchmark Project so I am unaware how I could have
> influenced this incident due to a perceived bias?
>
> However, we did discuss the paid inclusion of  A9 of the OWASP Top Ten
> 2013 Release and the detrimental effect on your proposed CFV at
> BlackHat USA 2015 and this same vendor has been caught again after not
> even two months have passed since our discussion.
>
> On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> > I'm not quite sure what issue you are having here. Please elaborate. I do
> > not intend for WAFEC to perform evaluations. Its simply a framework and
> set
> > of tools for vendors, independent testing entities and consumers to
> conduct
> > their own evaluations. It should be designed for consistency and
> flexibility
> > to map as closely as possible to the unique scenario it is being used to
> > evaluate.
>
> I was willing to give your CFV proposal the benefit of the doubt
> (hence I made no comment in the published minutes) and while I
> understand these issues are outside of your control my recommendation
> is to defer CFV until OWASP has published their determination against
> the vendor.
>
> On Sat, Oct 10, 2015 at 12:57 PM, Tony Turner <tony at sentinel24.com> wrote:
> > Lack of weighting makes all criteria equally important. For the purpose
> of a
> > generic evaluation, that's fine but that does not map to how consumers
> need
> > to use evaluation tools. Not all implementations are the same, not all
> > requirements are the same and not all consumers will consider criteria
> with
> > the exact same weight. I'm sorry but I strongly disagree with you here.
> I'm
> > not talking about setting weights, I'm talking about providing the
> > flexibility for the user of the tool to set their own weights. Please
> > provide concrete examples of how you find this to be problematic.
>
> I have no issue with the end user making their own independent
> decision [on weighting] but I disagree WAFEC should be proposing a
> scheme about weighing that influences the end user in making the wrong
> decision in hindsight.
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20151010/fc491a98/attachment-0003.html>


More information about the wasc-wafec mailing list