WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsIn the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source code for the Imperva WTF WAF testing tool. Out intent is not to
rebrand as a WAFEC tool, but to utilize as guide for the development of a
separate independent tool. It will likely be a very different tool and I
want to reiterate that we are not intending to re-release any of their work
effort without significant rework or at the very least, a comprehensive
review. At this time I don't know exactly what that will look like as we
have not gathered requirements yet.
Some of the logic and structure may remain, but I wanted to make sure there
was transparency around this resource for WAFEC. If there are those on this
list who have an interest in being actively involved in the development of
this new toolset or have specific requirements you would like the tool to
address, please shoot me an email and I'll get you added to the development
team, or at the very least get your requests added to the list. If you are
a vendor, and have specific concerns about this approach, please let me
know. I'd love to get your feedback.
I don't intend to ramp up dev efforts for a few more months, at least not
until the actual criteria are more well defined for the next version but I
wanted to get the ball rolling so we can start gathering requirements and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable until
all members of the vendor subgroup have had a chance to review it.
If you are a WAF vendor and wish to be added to the vendor subgroup, please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
As of this time, the following vendors are represented on our vendor
subgroup:
--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org wrote:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work effort
without significant rework or at the very least, a comprehensive review. At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org wrote:
Some of the logic and structure may remain, but I wanted to make sure there
was transparency around this resource for WAFEC. If there are those on this
list who have an interest in being actively involved in the development of
this new toolset or have specific requirements you would like the tool to
address, please shoot me an email and I'll get you added to the development
team, or at the very least get your requests added to the list. If you are a
vendor, and have specific concerns about this approach, please let me know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org wrote:
I don't intend to ramp up dev efforts for a few more months, at least not
until the actual criteria are more well defined for the next version but I
wanted to get the ball rolling so we can start gathering requirements and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP? If not, then it
is reasonable to infer that you have made not effort to deliver over
three months. Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup, please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
--
Regards,
Christian Heinrich
I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
that restricts when I can send an email. I'm a volunteer, I'll work on
WAFEC when I have the time, even late on a Friday should I choose.
On Nov 20, 2015 4:53 PM, "Christian Heinrich" christian.heinrich@cmlh.id.au
wrote:
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work
effort
without significant rework or at the very least, a comprehensive review.
At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
(dated days ago) and exluded bodies of work i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
Some of the logic and structure may remain, but I wanted to make sure
there
was transparency around this resource for WAFEC. If there are those on
this
list who have an interest in being actively involved in the development
of
this new toolset or have specific requirements you would like the tool to
address, please shoot me an email and I'll get you added to the
development
team, or at the very least get your requests added to the list. If you
are a
vendor, and have specific concerns about this approach, please let me
know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
I don't intend to ramp up dev efforts for a few more months, at least not
until the actual criteria are more well defined for the next version but
I
wanted to get the ball rolling so we can start gathering requirements and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable
until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP? If not, then it
is reasonable to infer that you have made not effort to deliver over
three months. Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup,
please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Tony,
On Sat, Nov 21, 2015 at 11:19 AM, Tony Turner tony@sentinel24.com wrote:
I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
that restricts when I can send an email. I'm a volunteer, I'll work on WAFEC
when I have the time, even late on a Friday should I choose.
It's fairly common practice for breach notifications, etc to be sent
out on Friday afternoon to reduce the audience that would read the bad
press.
However, it is also well known that the extensive lag to deliver
e-mail from OWASP is due to the "golden handshake" given to the
employer of an OWASP Board Member rather then award this to a mailing
list service provider whose performance is governed by an SLA.
Can I please request read only access to the Google Doc repository in
light of the fact you have described your recent effort to OWASP as a
"Project Reboot"?
Can you please disclose the professional background of Rafael
Chileshe, who is described as a Project Co-Leader of WAFEC within
https://www.youtube.com/watch?v=49M-YqAEtDg too, including his
relationship with Radware (i.e. the logo on his polo shirt).
Since you are aware of the recent conflict of interest of the OWASP
Project Leader with their [OWASP] Benchmark Project i.e.
http://lists.owasp.org/pipermail/owasp-board/2015-October/016470.html
I don't consider putting the above to you is unreasonable in light of
our effort to counter the false accusation that WASC is a "a vendor
organization directly competing with" [OWASP] quoted from
http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html
--
Regards,
Christian Heinrich
OK, let me try this again Christian because I didn't see all your libelous
accusations below.
On Nov 20, 2015 4:53 PM, "Christian Heinrich" christian.heinrich@cmlh.id.au
wrote:
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
I've already stated this was a 9:40 AM email for me. Not exactly hiding
anything
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work
effort
without significant rework or at the very least, a comprehensive review.
At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
No they will not. You are making unfounded assumptions. I do have a loose
set of requirements in my head but WAFEC has not officially documented the
list of requirements. That is the process. Not me looking at Imperva's WTF
tool and laying out a roadmap that aligns with that. Any pre-development
work will start with the a structured set of requirements that the
community will get a commentary period on.
Yup, my employer works with just about any decent security vendor that
customers might want to buy a product with that we happen to have had
occasion to deal with. I was transparent about my employer before I took
over WAFEC. As you noted in your response, it's a rather large list of
vendors.
(dated days ago) and exluded bodies of work i.e.
I have not excluded any bodies of work. i did not receive sufficient
response on my query to be noteworthy at that time. Lot's of people telling
me it was a great idea, nobody that actually wanted to contribute anything.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
Some of the logic and structure may remain, but I wanted to make sure
there
was transparency around this resource for WAFEC. If there are those on
this
list who have an interest in being actively involved in the development
of
this new toolset or have specific requirements you would like the tool to
address, please shoot me an email and I'll get you added to the
development
team, or at the very least get your requests added to the list. If you
are a
vendor, and have specific concerns about this approach, please let me
know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
What source code? Imperva's? Go talk to them if you have an issue with
their licensing. WAFEC does not have source code to actually be in
violation of any license. We have not yet started development. i simply
accepted Imperva's offer for the sharing of their source code.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
I don't intend to ramp up dev efforts for a few more months, at least not
until the actual criteria are more well defined for the next version but
I
wanted to get the ball rolling so we can start gathering requirements and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable
until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP?
The document was worked on at AppSecUSA WAFEC Workshop with Raphael
Chileshe of Radware. Why only Radware you might ask? Because nobody else
showed up. The invitation was open to all. He did not make any changes to
the core document, and the crux of our efforts was a reorganization of
content and roadmap realignment and then general conversation around the
project. I'll be happy to provide a link for any contributor who wishes it,
but at this point I'm not really ready to post it publicly for comment yet.
If not, then it
is reasonable to infer that you have made not effort to deliver over
three months.
I'm a busy man. I work a lot of hours and have a family as well. I'm
aligned with the roadmap we posted at the OWASP wiki and the project is
moving. Slowly, but moving.
Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
I run WAF services offerings for my employer. I don't sell products. I
don't get commission for products. My association with open source projects
that are relevant to the professional services my company and i provide,
brings insight for customers who want to understand who it is they are
doing business with. There are no OWASP or WASC branded logos on our blog.
We do not claim to have an OWASP or WASC authorized or approved product or
service. My association with WAFEC is not a secret, nor should it be. My
employer graciously allows me to use their time (when I'm not billing) to
work on WAFEC. I don't see any issue here with daring to mention my
involvement with an open source project focused on WAF when stating
credentials for a blog post on WAF best practices.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
That was not a requirement and I clearly stated my affiliations before
taking over the project. There were no objections then.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup,
please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
I also physically visited tradeshow booths at Black Hat for A10 (who we
resell) and Citrix (who we resell) and did not receive sufficient
information from them to facilitate a relationship with WAFEC. I'm still
open to conversations there. I am very disconnected from the VAR sales
cycle at GuidePoint and do not have the vendor relationships you think I do.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
2 out of 7 vendors is hardly a majority
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
I will provide access to the doc for contributors. Contributors are part of
my team. Anyone else will have to satisfy themselves with the previously
published version until we are prepared for comment. I assure you we will
not publish anything without an acceptable review period.
There is no source code.
Lastly, No.
This is the only time I will ever respond to one of these Christian. I gave
you a chance against the advice of many who spoke against you because I
know how passion can sometimes be misconstrued. Please don't make me regret
that decision. You can consider this my first and only warning.
On Fri, Nov 20, 2015 at 7:19 PM, Tony Turner tony@sentinel24.com wrote:
I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
that restricts when I can send an email. I'm a volunteer, I'll work on
WAFEC when I have the time, even late on a Friday should I choose.
On Nov 20, 2015 4:53 PM, "Christian Heinrich" <
christian.heinrich@cmlh.id.au> wrote:
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work
effort
without significant rework or at the very least, a comprehensive
review. At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
(dated days ago) and exluded bodies of work i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
Some of the logic and structure may remain, but I wanted to make sure
there
was transparency around this resource for WAFEC. If there are those on
this
list who have an interest in being actively involved in the development
of
this new toolset or have specific requirements you would like the tool
to
address, please shoot me an email and I'll get you added to the
development
team, or at the very least get your requests added to the list. If you
are a
vendor, and have specific concerns about this approach, please let me
know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
I don't intend to ramp up dev efforts for a few more months, at least
not
until the actual criteria are more well defined for the next version
but I
wanted to get the ball rolling so we can start gathering requirements
and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable
until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP? If not, then it
is reasonable to infer that you have made not effort to deliver over
three months. Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup,
please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando
Tony,
On Sat, Nov 21, 2015 at 1:03 PM, Tony Turner tony.turner@owasp.org wrote:
This is the only time I will ever respond to one of these Christian. I gave
you a chance against the advice of many who spoke against you because I know
how passion can sometimes be misconstrued. Please don't make me regret that
decision. You can consider this my first and only warning.
This is untrue and has been proven time and time again to be false by
OWASP Board Members such as:
Jim Manico who stated "I think he really was attacked in many ways"
within https://lists.owasp.org/pipermail/owasp-leaders/2012-July/007468.html
Josh Sokol who stated that Dinis Cruz "chastised an active project
leader for doing what it appears that several others were also doing
at the time, potentially furthered personal biases, created negative
feelings between Christian and OWASP, and just
generally seems unfair to me. I'm actually a bit ashamed that this inquiry
has been allowed to linger for so long as it just perpetuates the
things that we've done wrong," within
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html
OWASP retraction itself is available from
https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
It is well known that the ulterior motive the OWASP Members who have
made these false character references against me is to divert
attention away from the discovery of their own corruption when relying
on biases witnesses such as
http://www.abc.net.au/news/2015-11-02/police-anti-fraud-project-subject-of-corruption-probe/6904914
http://www.theregister.co.uk/2015/11/02/tech_sponsored_qld_police_project_queried_by_corruption_probe/
http://www.theaustralian.com.au/business/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
etc
Therefore, can you retract your character reference as it is false?
You are more then welcome to provide the names of the parties you have
spoken to about me so I can follow up with them too?
If you unable to provide access to the source code from Imperva and
the Google Doc (in violation of OWASP's own policies) then I would
like to have the management of WAFEC transferred back to me as I have
an extensive public record of contributing to this project and no
affiliation to a vendor or reseller.
I have no issue in continuing to work with you and/or OWASP in the
development of WAFEC during and after the transition of this project's
management.
--
Regards,
Christian Heinrich
On Sat, Nov 21, 2015 at 1:03 PM, Tony Turner tony.turner@owasp.org wrote:
OK, let me try this again Christian because I didn't see all your libelous
accusations below.
On Nov 20, 2015 4:53 PM, "Christian Heinrich"
christian.heinrich@cmlh.id.au wrote:
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
I've already stated this was a 9:40 AM email for me. Not exactly hiding
anything
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work
effort
without significant rework or at the very least, a comprehensive review.
At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
No they will not. You are making unfounded assumptions. I do have a loose
set of requirements in my head but WAFEC has not officially documented the
list of requirements. That is the process. Not me looking at Imperva's WTF
tool and laying out a roadmap that aligns with that. Any pre-development
work will start with the a structured set of requirements that the
community will get a commentary period on.
Yup, my employer works with just about any decent security vendor that
customers might want to buy a product with that we happen to have had
occasion to deal with. I was transparent about my employer before I took
over WAFEC. As you noted in your response, it's a rather large list of
vendors.
(dated days ago) and exluded bodies of work i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
I have not excluded any bodies of work. i did not receive sufficient
response on my query to be noteworthy at that time. Lot's of people telling
me it was a great idea, nobody that actually wanted to contribute anything.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
Some of the logic and structure may remain, but I wanted to make sure
there
was transparency around this resource for WAFEC. If there are those on
this
list who have an interest in being actively involved in the development
of
this new toolset or have specific requirements you would like the tool
to
address, please shoot me an email and I'll get you added to the
development
team, or at the very least get your requests added to the list. If you
are a
vendor, and have specific concerns about this approach, please let me
know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
What source code? Imperva's? Go talk to them if you have an issue with their
licensing. WAFEC does not have source code to actually be in violation of
any license. We have not yet started development. i simply accepted
Imperva's offer for the sharing of their source code.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
I don't intend to ramp up dev efforts for a few more months, at least
not
until the actual criteria are more well defined for the next version but
I
wanted to get the ball rolling so we can start gathering requirements
and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable
until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP?
The document was worked on at AppSecUSA WAFEC Workshop with Raphael Chileshe
of Radware. Why only Radware you might ask? Because nobody else showed up.
The invitation was open to all. He did not make any changes to the core
document, and the crux of our efforts was a reorganization of content and
roadmap realignment and then general conversation around the project. I'll
be happy to provide a link for any contributor who wishes it, but at this
point I'm not really ready to post it publicly for comment yet.
If not, then it
is reasonable to infer that you have made not effort to deliver over
three months.
I'm a busy man. I work a lot of hours and have a family as well. I'm aligned
with the roadmap we posted at the OWASP wiki and the project is moving.
Slowly, but moving.
Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
I run WAF services offerings for my employer. I don't sell products. I don't
get commission for products. My association with open source projects that
are relevant to the professional services my company and i provide, brings
insight for customers who want to understand who it is they are doing
business with. There are no OWASP or WASC branded logos on our blog. We do
not claim to have an OWASP or WASC authorized or approved product or
service. My association with WAFEC is not a secret, nor should it be. My
employer graciously allows me to use their time (when I'm not billing) to
work on WAFEC. I don't see any issue here with daring to mention my
involvement with an open source project focused on WAF when stating
credentials for a blog post on WAF best practices.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
That was not a requirement and I clearly stated my affiliations before
taking over the project. There were no objections then.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup,
please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
I also physically visited tradeshow booths at Black Hat for A10 (who we
resell) and Citrix (who we resell) and did not receive sufficient
information from them to facilitate a relationship with WAFEC. I'm still
open to conversations there. I am very disconnected from the VAR sales cycle
at GuidePoint and do not have the vendor relationships you think I do.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
2 out of 7 vendors is hardly a majority
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
I will provide access to the doc for contributors. Contributors are part of
my team. Anyone else will have to satisfy themselves with the previously
published version until we are prepared for comment. I assure you we will
not publish anything without an acceptable review period.
There is no source code.
Lastly, No.
This is the only time I will ever respond to one of these Christian. I gave
you a chance against the advice of many who spoke against you because I know
how passion can sometimes be misconstrued. Please don't make me regret that
decision. You can consider this my first and only warning.
On Fri, Nov 20, 2015 at 7:19 PM, Tony Turner tony@sentinel24.com wrote:
I sent it 9:40 AM EDT. Try again. That being said I oppose any precedent
that restricts when I can send an email. I'm a volunteer, I'll work on WAFEC
when I have the time, even late on a Friday should I choose.
On Nov 20, 2015 4:53 PM, "Christian Heinrich"
christian.heinrich@cmlh.id.au wrote:
Tony,
I find the publication of your e-mail sent on a Friday evening (USA
timezone) is intended to "fly under the radar".
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
In the interest of full disclosure I wanted to announce to the list
that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source
code for the Imperva WTF WAF testing tool. Out intent is not to rebrand
as a
WAFEC tool, but to utilize as guide for the development of a separate
independent tool. It will likely be a very different tool and I want to
reiterate that we are not intending to re-release any of their work
effort
without significant rework or at the very least, a comprehensive
review. At
this time I don't know exactly what that will look like as we have not
gathered requirements yet.
This a conflict of interest that you have not disclosed as you:
http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
(dated days ago) and exluded bodies of work i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000312.html
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
Some of the logic and structure may remain, but I wanted to make sure
there
was transparency around this resource for WAFEC. If there are those on
this
list who have an interest in being actively involved in the development
of
this new toolset or have specific requirements you would like the tool
to
address, please shoot me an email and I'll get you added to the
development
team, or at the very least get your requests added to the list. If you
are a
vendor, and have specific concerns about this approach, please let me
know.
I'd love to get your feedback.
I consider this a breach of
https://www.owasp.org/index.php/OWASP_Project_Inventory#Labs_Projects
i.e. the source code should be available under an applicable FOSS
license.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
I don't intend to ramp up dev efforts for a few more months, at least
not
until the actual criteria are more well defined for the next version
but I
wanted to get the ball rolling so we can start gathering requirements
and
head off any concerns in advance of actual dev work starting. Lastly,
we
will not release any tool publically as an official WAFEC deliverable
until
all members of the vendor subgroup have had a chance to review it.
At BlackHat USA (August 2015) you alluded to the creation of a
consolidating all contribution into a single Google Document i.e. 6 of
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2015-September/000313.html
Can I please have access to this Google Doc(s) ASAP? If not, then it
is reasonable to infer that you have made not effort to deliver over
three months. Rather, WAFEC has been used to promote the business
interests of GuidePoint Security (your employer) in addition to other
marketing, such as
https://twitter.com/guidepointsec/status/656090183125835778 dated 15
October 2015.
Neither are vendors to influence WAFEC due to their conflict of
interest. Hence, the requirement that the leader of this project is
an end user (consumer) of WAF products and not a reseller.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
If you are a WAF vendor and wish to be added to the vendor subgroup,
please
shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
It would defy belief that you have not at least attempted to make
contact with the other WAF vendors but then again GuidePoint Security
do not have a reseller agreement wtih these other vendors.
On Sat, Nov 21, 2015 at 1:40 AM, Tony Turner tony.turner@owasp.org
wrote:
As of this time, the following vendors are represented on our vendor
subgroup:
Verizon
Radware
Ergon
Cdnetworks
Imperva
F5
Sentrix
A majority of these are replicated from
http://www.guidepointsecurity.com/vendors
In conclusion, in light of the recent promotional activies of
GuidePoint Security and Imperva and others such as
https://twitter.com/guidepointsec/status/656090183125835778 and if you
are unable to provide access to the Google Doc that we discussed at
BlackHat and the source code, then I respectively request that you
resign from this project due to these ongoing conflicts of interest
with GuidePoint Security?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando
--
Regards,
Christian Heinrich
Tony,
Thank you very much for your message and the full transparency
which you provide. It is much appreciated as is your effort
to revive this project.
Words can not express how much this other Christian is going
on my nerves with his trolling.
Best regards,
Christian Folini
--
Our sense of responsibility is not always as well developed
as our sense of righteousness.
--- Mark Burgess, Principles of Network and System Administration
Christian,
On Sat, Nov 21, 2015 at 3:34 PM, Christian Folini
christian.folini@time-machine.ch wrote:
Words can not express how much this other Christian is going
on my nerves with his trolling.
That is completely unfair and out of line.
On Sat, Nov 21, 2015 at 3:34 PM, Christian Folini
christian.folini@time-machine.ch wrote:
Thank you very much for your message and the full transparency
which you provide. It is much appreciated as is your effort
to revive this project.
The fact of the matter is that as there is no Google Doc and therefore
no way to contribute to WAFEC. Since Tony has described his effort as
a "reboot" and then delivered nothing then he can't claim to be a
"volunteer" in response to this criticism.
Tony could have directed Imperva to make a public release as an OWASP
Project and instead has attempted to influence the next requirements
of WAFEC as a direct result of
http://www.eventbrite.com/e/c-level-round-table-with-guidepoint-security-imperva-fireeye-tickets-18454616254
held during the week.
Furthermore, Tony could have removed WAFEC from the OWASP Summit as a
direct result of Radware's sole interest, instead they became a
project co-leader.
As I stated before, I would welcome Tony to execute the three requests
above as an act of good faith.
If not, then the only conclusion reached is that Tony has deliberately
positioned WAFEC for the promotion of WAF vendors associated with
GuidePoint Security without any regard to the risk of the reputation
of WASC.
Dear Tony,
dear all,
independently of the other discussions about vendors and OWASP, I'm
wondering what benefits the WAFEC sees in choosing such a tool from a
vendor.
As far as I know the WTF tool, it is designed to show that the Imperva
WAF default setup does 0 % false positives and 0% false negatives - and
I guess we all know real world examples challenging those results.
Neither the technical details of the test, nor the evaluation criteria
seems to be comprehensive or balanced.
The tool runs a number of requests and evaluates, whether the WAF
responds or the actual server. This functionality can be reproduced in a
few lines of code.
All details, like the test patterns and the rating scheme, must be
freshly created for the WAFEC purpose anyway.
Maybe it would be easier to do a fresh start with the testing tool
instead, including criteria like the system background (kind of db,
language, application server, ..) as well as non-pattern-based features
(tls,...) and a re-test/comparison function for default and customized
settings.
Kind regards,
Christian Strache
Am 20.11.2015 um 15:40 schrieb Tony Turner:
In the interest of full disclosure I wanted to announce to the list
that Mark Kraynak and Amichai Shulman of Imperva have provided us with
the source code for the Imperva WTF WAF testing tool. Out intent is
not to rebrand as a WAFEC tool, but to utilize as guide for the
development of a separate independent tool. It will likely be a very
different tool and I want to reiterate that we are not intending to
re-release any of their work effort without significant rework or at
the very least, a comprehensive review. At this time I don't know
exactly what that will look like as we have not gathered requirements
yet.
Some of the logic and structure may remain, but I wanted to make sure
there was transparency around this resource for WAFEC. If there are
those on this list who have an interest in being actively involved in
the development of this new toolset or have specific requirements you
would like the tool to address, please shoot me an email and I'll get
you added to the development team, or at the very least get your
requests added to the list. If you are a vendor, and have specific
concerns about this approach, please let me know. I'd love to get your
feedback.
I don't intend to ramp up dev efforts for a few more months, at least
not until the actual criteria are more well defined for the next
version but I wanted to get the ball rolling so we can start gathering
requirements and head off any concerns in advance of actual dev work
starting. Lastly, we will not release any tool publically as an
official WAFEC deliverable until all members of the vendor subgroup
have had a chance to review it.
If you are a WAF vendor and wish to be added to the vendor subgroup,
please shoot me an email with your contact information and role. We
are not excluding any vendor from this process.
As of this time, the following vendors are represented on our vendor
subgroup:
--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org mailto:tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
We are not "choosing" the Imperva tool. We are researching existing tools.
I started with what I knew, and would be happy to look at any others that
might be worthwhile. It's most likely that yes, we will probably create
something new but the entire purpose of this original email was to let the
community know we'd been in communication with Imperva on the topic, not
that we had selected their tool. We most certainly have not.
On Nov 21, 2015 6:05 AM, "Christian Strache" cs@strache-it.de wrote:
Dear Tony,
dear all,
independently of the other discussions about vendors and OWASP, I'm
wondering what benefits the WAFEC sees in choosing such a tool from a
vendor.
As far as I know the WTF tool, it is designed to show that the Imperva WAF
default setup does 0 % false positives and 0% false negatives - and I guess
we all know real world examples challenging those results.
Neither the technical details of the test, nor the evaluation criteria
seems to be comprehensive or balanced.
The tool runs a number of requests and evaluates, whether the WAF responds
or the actual server. This functionality can be reproduced in a few lines
of code.
All details, like the test patterns and the rating scheme, must be freshly
created for the WAFEC purpose anyway.
Maybe it would be easier to do a fresh start with the testing tool
instead, including criteria like the system background (kind of db,
language, application server, ..) as well as non-pattern-based features
(tls,...) and a re-test/comparison function for default and customized
settings.
Kind regards,
Christian Strache
Am 20.11.2015 um 15:40 schrieb Tony Turner:
In the interest of full disclosure I wanted to announce to the list that
Mark Kraynak and Amichai Shulman of Imperva have provided us with the
source code for the Imperva WTF WAF testing tool. Out intent is not to
rebrand as a WAFEC tool, but to utilize as guide for the development of a
separate independent tool. It will likely be a very different tool and I
want to reiterate that we are not intending to re-release any of their work
effort without significant rework or at the very least, a comprehensive
review. At this time I don't know exactly what that will look like as we
have not gathered requirements yet.
Some of the logic and structure may remain, but I wanted to make sure
there was transparency around this resource for WAFEC. If there are those
on this list who have an interest in being actively involved in the
development of this new toolset or have specific requirements you would
like the tool to address, please shoot me an email and I'll get you added
to the development team, or at the very least get your requests added to
the list. If you are a vendor, and have specific concerns about this
approach, please let me know. I'd love to get your feedback.
I don't intend to ramp up dev efforts for a few more months, at least not
until the actual criteria are more well defined for the next version but I
wanted to get the ball rolling so we can start gathering requirements and
head off any concerns in advance of actual dev work starting. Lastly, we
will not release any tool publically as an official WAFEC deliverable until
all members of the vendor subgroup have had a chance to review it.
If you are a WAF vendor and wish to be added to the vendor subgroup,
please shoot me an email with your contact information and role. We are not
excluding any vendor from this process.
As of this time, the following vendors are represented on our vendor
subgroup:
- Verizon
- Radware
- Ergon
- Cdnetworks
- Imperva
- F5
- Sentrix
--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando
wasc-wafec mailing listwasc-wafec@lists.webappsec.orghttp://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org