wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsVote on making WAFEC a WASC/OWASP project
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please let
me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Ofer,
On Tue, Nov 13, 2012 at 8:13 AM, Ofer Shezaf ofer@shezaf.com wrote:
With regard to presenting WAFEC in OWASP events, I think this is an
important comment and my answer is that as a WAFEC project member you should
be able to and I will make sure this is known. I need to say I don't think
you are limited from presenting in OWASP meetings today - presentation is
not limited to OWASP members.
Yes I am and this restriction was made up by the OWASP Board within
http://lists.owasp.org/pipermail/owasp-leaders/2012-February/006813.html
i.e. "disqualification from CFT/CFP for Global or Regional AppSec
events" (I'd assume this extends to Chapter events) and upheld when I
my presentation on BSIMM was accepted for
https://www.owasp.org/index.php/AppSecAsiaPac2012.
--
Regards,
Christian Heinrich
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
· The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception of
WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please let
me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is. Despite this, WASC projects have a very high adoption rate in the industry by nature of the way the organization do things. This speaks to deliverable quality, and to me, this is what ultimately matters the most. This is what I wish for this project. When this many of the right kind of experts are brought together under a highly collaborative and peer reviewed environment, you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free choose to contribute their time whenever and wherever they choose. Having said that, this is a project that "WASC" has voted to create and something it's committed to keeping under it's label. While it's never been done before, there is nothing technically preventing a collaborative project with OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=
Yes
Ido Breger
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Ofer Shezaf
Sent: Monday, November 12, 2012 12:18 PM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and OWASP project.
The proposed guidelines for this more are (updated based on comments from the group and WASC officers):
-
The name, when affiliation is used, would be "The WASC/OWASP Web Application Firewall Evaluation Criteria". -
Governance would be mutual, i.e. any decision about the project which is not within the project team itself has to be agreed upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers. The project leader is the arbitrator in case of a conflict (this change is based on a request by Jeremiah Grossman, WASC founder). -
Participation is open for all and does not require being an OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19th EOD (American Samoa, that is UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I would go a step further it is needed to ensure we actually succeed:
Why?
-
Making it happen - we need more people. I now have two chapter assigned and many are still waiting. Joining hands with OWASP will make joining the project appealing to many more people. -
Outreach - people in the application security community have heard about OWASP, and joining hands with OWASP would enable leveraging this to reach more people. This includes chapters outreach (from Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in local and global conferences. -
Vendor image - WASC is perceived as a "vendors' organization" and the list of participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers, which I think is very good for the project.
I must say I think it would be hard for me to complete the project successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.commailto:ofer@shezaf.com, www.shezaf.comhttp://www.shezaf.com]
Ofer,
On Tue, Nov 13, 2012 at 5:19 PM, Ofer Shezaf ofer@shezaf.com wrote:
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
In the context of the above (project name) item then no I don't have
reservations about OWASP based on the reasons stated in your proposal
hence my recommendation to remove WASC from the name of the (WAFEC)
project.
However, if WASC would like to a) remove the vendor perception and b)
promote it to the wider community then this could be (better) achieved
by with end users (not vendors) presenting WAFEC at OWASP Chapters and
Conferences.
--
Regards,
Christian Heinrich
Presenting WAFEC by someone who does not represent a vendor makes a lot of
sense. I would like to point that there is no "WASC wants". WASC and WAFEC
are ours to make. WAFEC will be presented and promoted in conferences,
meetings, blogs etc if any of us as individuals select to do so. I will, you
can, and everyone else is also more than welcomed to.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Tuesday, November 13, 2012 9:49 AM
To: Ofer Shezaf
Cc: Jeremiah Grossman; Robert A.; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Ofer,
On Tue, Nov 13, 2012 at 5:19 PM, Ofer Shezaf ofer@shezaf.com wrote:
For better or worse I would not give Christian suggestion to keep only
OWASP in the name a lot of weight (sorry Christian). It is not a
general opinion but a single voice. As Christian has reservations
about OWASP and hence a joined project , I would take it is away to
convey his (valid) opinion about the initiative.
In the context of the above (project name) item then no I don't have
reservations about OWASP based on the reasons stated in your proposal hence
my recommendation to remove WASC from the name of the (WAFEC) project.
However, if WASC would like to a) remove the vendor perception and b)
promote it to the wider community then this could be (better) achieved by
with end users (not vendors) presenting WAFEC at OWASP Chapters and
Conferences.
--
Regards,
Christian Heinrich
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent
and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
Achim
-------- Original-Nachricht --------
Betreff: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Datum: Tue, 13 Nov 2012 10:10:00 +0200
..
Kopie (CC): wasc-wafec@lists.webappsec.org, wasc-members@webappsec.org
Presenting WAFEC by someone who does not represent a vendor makes a lot of
sense. I would like to point that there is no "WASC wants". WASC and WAFEC
are ours to make. WAFEC will be presented and promoted in conferences,
meetings, blogs etc if any of us as individuals select to do so. I will, you
can, and everyone else is also more than welcomed to.
I agree. This issue, if indeed it even is an issue, is part of a larger discussion about WASC and beyond WAFEC. I'm happy to share my opinion on the matter here.
WASC started as a group of people that had a vested interested in solving a particular problem in the industry, at the time, a nomenclature issue. Consumers were confused by the differing jargon between "us vendors." Again, at the time. So we got together to solve that problem problem in the shape of the Threat Classification. During the process of v1 and v2 of the project, of course no one… including non-vendors, were excluded from participating. What was most important was that the best experts in the world participated, who yes also happened to work for vendors, collectively created something really good that could be quickly adopted. And, it worked.
WAFEC is essentially identical in this regard. That to me, is what WASC does. Each project operates extremely independently, with only the bare minimum of necessary oversight from the Officers.
So, while their may or may not be a vendor stigma associated to WASC, it hasn't prevent us from bringing together enough of the right kind people with a vested interest in solving a problem. As is demonstrated here inside WAFEC. It hasn't prevented the creation and adoption of its projects. Perhaps the issue has prevented us from being successful in other ways, but not in the ways we valued most as an organization. WASC fills a very particular niche.
Simply the opinion of 1 WASC officer...
On Nov 12, 2012, at 10:19 PM, Ofer Shezaf wrote:
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=
I fully agree with Jeremiah (as I remember the work on TCv1:)
For WAFEC we need the vendors as they can provide the most detailled information
on some technical things which needs to be described correctly.
So far the concerns about "vendor biased comments" have been discussed on this list
and there is (at least seems to be) an agreement that very vendor-specific items
and not directly WAF-related items are put together in an Appendix (see mails from
Ofer and Christian).
Just my 2 pence ...
Achim
Am 13.11.2012 15:28, schrieb Jeremiah Grossman:
I agree. This issue, if indeed it even is an issue, is part of a larger discussion about WASC and beyond WAFEC. I'm happy to share my opinion on the matter here.
WASC started as a group of people that had a vested interested in solving a particular problem in the industry, at the time, a nomenclature issue. Consumers were confused by the differing jargon between "us vendors." Again, at the time. So we got together to solve that problem problem in the shape of the Threat Classification. During the process of v1 and v2 of the project, of course no one… including non-vendors, were excluded from participating. What was most important was that the best experts in the world participated, who yes also happened to work for vendors, collectively created something really good that could be quickly adopted. And, it worked.
WAFEC is essentially identical in this regard. That to me, is what WASC does. Each project operates extremely independently, with only the bare minimum of necessary oversight from the Officers.
So, while their may or may not be a vendor stigma associated to WASC, it hasn't prevent us from bringing together enough of the right kind people with a vested interest in solving a problem. As is demonstrated here inside WAFEC. It hasn't prevented the creation and adoption of its projects. Perhaps the issue has prevented us from being successful in other ways, but not in the ways we valued most as an organization. WASC fills a very particular niche.
Simply the opinion of 1 WASC officer...
On Nov 12, 2012, at 10:19 PM, Ofer Shezaf wrote:
Bob and Jeremiah,
For better or worse I would not give Christian suggestion to keep only OWASP
in the name a lot of weight (sorry Christian). It is not a general opinion
but a single voice. As Christian has reservations about OWASP and hence a
joined project , I would take it is away to convey his (valid) opinion about
the initiative.
Whether or not WASC carries a vendor perception is worth discussing,
probably more generally than the context of this thread and in the officers
list. However I would add that I don't see it necessarily as an issue but
rather stating an opinion. People seem to prefer being able to classify
things in order to give them differentiating value and compartmentalizing
WASC in such a way makes it easier for people to relate. We may want to
divert that to "Security Gurus" categorization, but we certainly want a
distinction.
Specifically for WAFEC the vendor perspective is less a perspective and more
evident: on the WAFEC contributor list, more than half represent WAF
vendors. The same is true for people volunteering so far to write sections.
~ Ofer
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com]
Sent: Tuesday, November 13, 2012 2:40 AM
To: Robert A.
Cc: Christian Heinrich; Ofer Shezaf; wasc-wafec@lists.webappsec.org;
wasc-members@webappsec.org
Subject: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
On Nov 12, 2012, at 1:28 PM, Robert A. wrote:
On Mon, Nov 12, 2012 at 9:17 PM, Ofer Shezaf ofer@shezaf.com wrote:
. The name, when affiliation is used, would be "The WASC/OWASP
Web
Application Firewall Evaluation Criteria".
This doesn't resolve the issue around the (false) vendor perception
of WASC, since "WASC" would still be quoted within the project title.
Hence, I would recommend that we remove "WASC" and give complete
project ownership to OWASP i.e. "The OWASP Web Application Firewall
Evaluation Criteria" otherwise this (false) perception would remain?
If there's a perception issue of WASC (which I haven't seen for a few
years now myself), I don't think the answer is for us to abandon our
sucessful projects entirely to OWASP. If I'm misunderstanding please
let me know.
Open to Ofer's thoughts.
Regards,
- Robert Auger
Some may have this perception of WASC, no matter how underserving it is.
Despite this, WASC projects have a very high adoption rate in the industry
by nature of the way the organization do things. This speaks to deliverable
quality, and to me, this is what ultimately matters the most. This is what I
wish for this project. When this many of the right kind of experts are
brought together under a highly collaborative and peer reviewed environment,
you can't help but get this outcome.
Of course as this is an all volunteer project, people are of course free
choose to contribute their time whenever and wherever they choose. Having
said that, this is a project that "WASC" has voted to create and something
it's committed to keeping under it's label. While it's never been done
before, there is nothing technically preventing a collaborative project with
OWASP provided that's what the group chooses to do.
Regards,
Jeremiah-=