WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsHi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers. The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com , www.shezaf.com]
Hi Ofer,
my vote is yes: join WASC and OWASP for WAFEC.
According your description, I'll have some questions for clarification, please
see inline below.
Cheers
Achim
Am 12.11.2012 11:17, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers.
What does this mean: "decision about the project which is not within the project team"
Could you please give an example.
I.g. OWASP GPC only gives the "go" for a project, that's it.
If a project gets abandoned, it will be marked so.
The project
leader is the arbitrator in case of a conflict (this change is based on a
request by Jeremiah Grossman, WASC founder).
Does this mean that the (OWASP) project leader does not/must not participate in
writing the document?
@Jeremiah, I can imagine your objections due to other (probably;-) biased projects,
but a bit a description of what the leader should and should not do would be nice.
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Hi,
my vote is as well yes: join WASC and OWASP for WAFEC.
Cheers
Julian Totzek-Hallhuber
Pre Sales Team Leader
Direct: +49 6124 70 25 50 2
Mobile : +49 160 97 28 50 04
jtotzek@denyall.commailto:jtotzek@denyall.com
Am 12.11.2012 um 11:17 schrieb Ofer Shezaf <ofer@shezaf.commailto:ofer@shezaf.com>
:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
• The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria".
• Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder).
• Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
• Making it happen – we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people.
• Outreach – people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences.
• Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.commailto:ofer@shezaf.com, www.shezaf.comhttp://www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Hi All,****
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.****
The proposed guidelines for this more are (updated based on comments from
the group and WASC officers):****
· The name, when affiliation is used, would be "The
WASC/OWASP Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed upon
by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The
project leader is the arbitrator in case of a conflict (this change is
based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)****
Now for my voting pitch:****
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:****
Why?****
· Making it happen – we need more people. I now have two
chapter assigned and many are still waiting. Joining hands with OWASP will
make joining the project appealing to many more people.
· Outreach – people in the application security community
have heard about OWASP, and joining hands with OWASP would enable
leveraging this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors'
organization" and the list of participants in WAFEC certainly proves that.
Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for
the project.****
I must say I think it would be hard for me to complete the project
successfully otherwise. ****
~ Ofer****
Ofer Shezaf****
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]****
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people.
· Outreach – people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Yes.
--
Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>
I vote YES.
From: Ofer Shezaf ofer@shezaf.com
Date: Monday, November 12, 2012 5:17 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP
project.
The proposed guidelines for this more are (updated based on comments from the
group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the OWASP
GPC (i.e. Project Committee) and by the WASC officers. The project leader is
the arbitrator in case of a conflict (this change is based on a request by
Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an OWASP or
a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would
go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this to
reach more people. This includes chapters outreach (from Khartoum, The Sudan
to Omaha, Nebraska) as well as an official room in local and global
conferences.
· Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation with
OWASP will
help popularize WAFEC also with customers, which I think is very good for the
project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
_______________________________________________ wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
I think that Jeremiah comment was about conflict between WASC and OWASP and not between team members, we are too many to assume a vote would end in a draw (and too few writers to allow me not to write anything).
This of course brings us back to the governance questions in the 1st place: when would a WASC officers and a GPC decision needed. As usual such clauses are there to avoid unintended results even if not foreseen now. Setting general guidelines for projects at OWASP or WASC would be a good example. A recent (and not very critical) example was a suggestion to have all projects move to a common source repository made several weeks ago. The common governance rules means that WAFEC would not have to follow that new guideline.
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Monday, November 12, 2012 12:51 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi Ofer,
my vote is yes: join WASC and OWASP for WAFEC.
According your description, I'll have some questions for clarification, please see inline below.
Cheers
Achim
Am 12.11.2012 11:17, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by
the OWASP GPC (i.e. Project Committee) and by the WASC officers.
What does this mean: "decision about the project which is not within the project team"
Could you please give an example.
I.g. OWASP GPC only gives the "go" for a project, that's it.
If a project gets abandoned, it will be marked so.
The project
leader is the arbitrator in case of a conflict (this change is based
on a request by Jeremiah Grossman, WASC founder).
Does this mean that the (OWASP) project leader does not/must not participate in writing the document?
@Jeremiah, I can imagine your objections due to other (probably;-) biased projects, but a bit a description of what the leader should and should not do would be nice.
Participation is open for all and does not require being an OWASP
or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that
is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously.
I would go a step further it is needed to ensure we actually succeed:
Why?
Making it happen - we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will
make joining the project appealing to many more people.
Outreach - people in the application security community have heard
about OWASP, and joining hands with OWASP would enable leveraging this
to reach more people. This includes chapters outreach (from Khartoum,
The Sudan to Omaha, Nebraska) as well as an official room in local and
global conferences.
Vendor image - WASC is perceived as a "vendors' organization" and
the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer,
I have been able to address some but not all of your e-mail and I will
attempt to complete the reply over this weekend i.e. before 19
November.
Below is what I can address right at this moment:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· Participation is open for all and does not require being an OWASP
or a WASC member.
Will I be able to present WAFEC at OWASP Conferences and Chapters?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is
UTC-11, time zone)
I believe the vote should be weighted somehow based on people
allegiance to OWASP and/or WASC otherwise the vote could be perceived
as bias?
--
Regards,
Christian Heinrich
With regards to most of your comments: I am not going to change the voting
agenda and process now.
With regard to presenting WAFEC in OWASP events, I think this is an
important comment and my answer is that as a WAFEC project member you should
be able to and I will make sure this is known. I need to say I don't think
you are limited from presenting in OWASP meetings today - presentation is
not limited to OWASP members.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Monday, November 12, 2012 10:56 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Ofer,
I have been able to address some but not all of your e-mail and I will
attempt to complete the reply over this weekend i.e. before 19 November.
Below is what I can address right at this moment:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of WASC,
since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete project
ownership to OWASP i.e. "The OWASP Web Application Firewall Evaluation
Criteria" otherwise this (false) perception would remain?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. Participation is open for all and does not require being an
OWASP
or a WASC member.
Will I be able to present WAFEC at OWASP Conferences and Chapters?
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that
is UTC-11, time zone)
I believe the vote should be weighted somehow based on people allegiance to
OWASP and/or WASC otherwise the vote could be perceived as bias?
--
Regards,
Christian Heinrich