wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsProposed "Conflict of Interest" Section?
Ofer,
I have just reviewed
http://projects.webappsec.org/w/page/54150727/WAFEC%202#Contributors
I have noticed that three out of the seven people (~42%) listed as
"contributors" are from a single WAF vendor (who I have deliberately
not named), including their SVP of Marketing.
To avoid the greater webappsec community (false or otherwise) claiming
that the WAFECv2 has been subverted by a single WAF vendor (who I have
deliberately not named) can we please include a "Conflict of interest"
section that WAFECv2 has been reviewed by other WAF vendors too i.e.
based on http://projects.webappsec.org/w/page/54150727/WAFEC%202#Reviewers
this would include "Barracuda Networks", F5, "Mykonos, a Juniper
Company", etc
I am wiling to contribute this small section if you don't have the time?
Obviously, the optimal solution would be to have shared contributors
from at least two WAF vendors per section (if the contributor is not a
WAF vendor or reseller) and perhaps we can introduce this policy in
the development of WAFECv3?
--
Regards,
Christian Heinrich
Am 19.07.2013 03:31, schrieb Christian Heinrich:
To avoid the greater webappsec community (false or otherwise) claiming
that the WAFECv2 has been subverted by a single WAF vendor (who I have
deliberately not named) can we please include a "Conflict of interest"
section that WAFECv2 has been reviewed by other WAF vendors too i.e.
based on http://projects.webappsec.org/w/page/54150727/WAFEC%202#Reviewers
this would include "Barracuda Networks", F5, "Mykonos, a Juniper
Company", etc
Hi Christian,
just to be more precise: you mean that the "Conflict of interest" section
points out that even the contributions are from 3 vendors, it has been reviewed
by other (ca. 5) vendors. So we have ca. 8 vendors in total.
Sounds fair.
Cheers
Achim
Achim,
On Fri, Jul 19, 2013 at 7:21 PM, Achim Hoffmann websec10@sic-sec.org wrote:
just to be more precise: you mean that the "Conflict of interest" section
points out that even the contributions are from 3 vendors, it has been reviewed
by other (ca. 5) vendors. So we have ca. 8 vendors in total.
Sounds fair.
I count seven people at
http://projects.webappsec.org/w/page/54150727/WAFEC%202#Contributors
but I may be wrong.
At first glance
http://projects.webappsec.org/w/page/54150727/WAFEC%202#Contributors
appears to be dominated by a single vendor. However this is not the
case when it is considered under the context of names assigned to each
section within http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline
The core issue is that of first impression of the reader and
clarifying this at the beginning of WAFECv2 would avoid their above
(incorrect) conclusion by the reader [of WAFECv2].
I'll assume it might be possible to extract the percentage of each
contributor too and if the total of these three [contributors] are
lower than that of the other four [contributors] then this metric
would also be helpful?
--
Regards,
Christian Heinrich
Christian,
This is a community project: people will always have a day job and a night
job and they are never completely separated. As long as we keep transparency
and open review to everyone, listed or not, and I believe your pointers
shows that we do, we are OK and I will not add such a "warning".
~ Ofer
-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf
Of Christian Heinrich
Sent: 20 July 2013 03:09
To: Achim Hoffmann
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Proposed "Conflict of Interest" Section?
Achim,
On Fri, Jul 19, 2013 at 7:21 PM, Achim Hoffmann websec10@sic-sec.org
wrote:
just to be more precise: you mean that the "Conflict of interest"
section points out that even the contributions are from 3 vendors, it
has been reviewed by other (ca. 5) vendors. So we have ca. 8 vendors in
total.
Sounds fair.
I count seven people at
http://projects.webappsec.org/w/page/54150727/WAFEC%202#Contributors
but I may be wrong.
At first glance
http://projects.webappsec.org/w/page/54150727/WAFEC%202#Contributors
appears to be dominated by a single vendor. However this is not the case
when it is considered under the context of names assigned to each section
within http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline
The core issue is that of first impression of the reader and clarifying this
at the beginning of WAFECv2 would avoid their above
(incorrect) conclusion by the reader [of WAFECv2].
I'll assume it might be possible to extract the percentage of each
contributor too and if the total of these three [contributors] are lower
than that of the other four [contributors] then this metric would also be
helpful?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Ofer,
On Sun, Jul 28, 2013 at 3:25 PM, Ofer Shezaf ofer@shezaf.com wrote:
This is a community project: people will always have a day job and a night
job and they are never completely separated. As long as we keep transparency
and open review to everyone, listed or not, and I believe your pointers
shows that we do, we are OK and I will not add such a "warning".
SVP of Marketing do not have engage in night jobs that leverage their
engineering degree! as opposed to their "creative writing" degree.
I will accept your "won't fix" response under protest.
--
Regards,
Christian Heinrich