wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsVote on making WAFEC a WASC/OWASP project
again here's my yes (whatever the child's name is gonna be)
Dirk
Am 11/12/2012 11:17 AM, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC and
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP
Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed
upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers.
The project leader is the arbitrator in case of a conflict (this change
is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19^th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach – people in the application security community have
heard about OWASP, and joining hands with OWASP would enable leveraging
this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization"
and the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
A yes is reasonable wether there are pros and cons.
Thorsten Wujek
Von meinem iPad gesendet
Kleines Gerät, kleine Mails.
Tiny device, tiny mails.
Am 13.11.2012 um 18:20 schrieb "Dirk Wetter" spam@drwetter.org:
again here's my yes (whatever the child's name is gonna be)
Dirk
Am 11/12/2012 11:17 AM, schrieb Ofer Shezaf:
Hi All,
As promised I am opening the vote for making WAFEC a joined WASC
OWASP project.
The proposed guidelines for this more are (updated based on comments
from the group and WASC officers):
· The name, when affiliation is used, would be "The WASC/OWASP
Web Application Firewall Evaluation Criteria".
· Governance would be mutual, i.e. any decision about the
project which is not within the project team itself has to be agreed
upon by the OWASP GPC (i.e. Project Committee) and by the WASC officers.
The project leader is the arbitrator in case of a conflict (this change
is based on a request by Jeremiah Grossman, WASC founder).
· Participation is open for all and does not require being an
OWASP or a WASC member.
Vote Yes/No. Voting is open until Nov 19^th EOD (American Samoa, that is
UTC-11, time zone)
Now for my voting pitch:
I think the change is important and would benefit WAFEC tremendously. I
would go a step further it is needed to ensure we actually succeed:
Why?
· Making it happen – we need more people. I now have two chapter
assigned and many are still waiting. Joining hands with OWASP will make
joining the project appealing to many more people.
· Outreach – people in the application security community have
heard about OWASP, and joining hands with OWASP would enable leveraging
this to reach more people. This includes chapters outreach (from
Khartoum, The Sudan to Omaha, Nebraska) as well as an official room in
local and global conferences.
· Vendor image - WASC is perceived as a "vendors' organization"
and the list of participants in WAFEC certainly proves that. Affiliation
with OWASP will
help popularize WAFEC also with customers, which I think is very good
for the project.
I must say I think it would be hard for me to complete the project
successfully otherwise.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Achim,
I would support speaking at this event provided we are not scheduled
during the break between the break and the evening social event again
i.e. http://www.appsecresearch.org/wafec-workshop-at-owasp-appsec-research-in-athens/
which your e-mail suggests would not be the case.
Based on https://lists.owasp.org/pipermail/global_conference_committee/2011-March/001122.html
I would expect that flights and accommodation for each presenter would
be paid for by OWASP and that the profit for delivering training would
be paid to WASC?
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent
and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
--
Regards,
Christian Heinrich
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Tuesday, November 13, 2012 2:45 PM
To: wasc-wafec@lists.webappsec.org
Cc: 'Christian Heinrich'; Ofer Shezaf
Subject: WASC/OWASP Web,Application Firewall Evaluation Criteria at AppSec EU2013
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve a slot for a talk/presentation and also for a one or half day training or workshop.
I guess another 6-8 month should be enough to bring the project to a valuable extent and then present it.
Should we go for that?
I'd realy like to push it and show it a greater audience.
Achim
-------- Original-Nachricht --------
Betreff: Re: [WASC-WAFEC] Vote on making WAFEC a WASC/OWASP project
Datum: Tue, 13 Nov 2012 10:10:00 +0200
..
Kopie (CC): wasc-wafec@lists.webappsec.org, wasc-members@webappsec.org
Presenting WAFEC by someone who does not represent a vendor makes a lot of sense. I would like to point that there is no "WASC wants". WASC and WAFEC are ours to make. WAFEC will be presented and promoted in conferences, meetings, blogs etc if any of us as individuals select to do so. I will, you can, and everyone else is also more than welcomed to.
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
--
Regards,
Christian Heinrich
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess
I see it as a separate thing not directly associated/promoted by the
project itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Robert,
I believe it should considering it would affect the WASC brand as part
of its promotion?
On Wed, Nov 14, 2012 at 9:26 AM, Robert A. robert@webappsec.org wrote:
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich
I know who is WAFEC target audience, however I wonder what would a paid
workshop on WAFEC include.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Wednesday, November 14, 2012 12:20 AM
To: Ofer Shezaf
Cc: Achim Hoffmann; wasc-wafec@lists.webappsec.org
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at
AppSec EU2013
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc preforming
independent verification of WAFEC against WAF Vendor claim on behalf of an
end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the specific end
user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
I tend to agree. Generally speaking building a training material might be a
task within a project, however I am not sure how this would work for WAFEC.
~ Ofer
-----Original Message-----
From: Robert A. [mailto:robert@webappsec.org]
Sent: Wednesday, November 14, 2012 12:26 AM
To: Christian Heinrich
Cc: Ofer Shezaf; wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WASC/OWASP Web, Application Firewall Evaluation
Criteria at AppSec EU2013
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec
.org
For some context.
Historically WASC has created content but hasn't promoted a product, service, workshop, or training event as part of the project. The purpose
of this is to remain vendor neutral as an organization. WASC's members have supported such things on their own (if they want), but the group as a
whole has never discussed supporting an event/product/service as part of a project.
I'm not trying to discourage such communication, just that we don't find ourselves doing this on behalf of WASC (without an officer vote since
this would be setting a precident).
Ofer,
Comments/opinion?
Regards,
- Robert
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Robert,
I believe it should considering it would affect the WASC brand as part
of its promotion?
On Wed, Nov 14, 2012 at 9:26 AM, Robert A. robert@webappsec.org wrote:
Quick question.
Should a workshop or training session be part of a wafec discussion? I see
that people will want to give a talk on it which is fantastic, but I guess I
see it as a separate thing not directly associated/promoted by the project
itself.
Regards,
On Wed, 14 Nov 2012, Christian Heinrich wrote:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I
really hope we would have a result to show, workshop for discussion would
not be very useful. A training workshop would require an agenda and a
commitment of a trainer to prepare a quality course that people will pay
for. I personally am not sure what would be the content of such a training
session. If anyone has a clear ideas as to what that be, we can either
launch that as a WAFEC initiative or leave it to anyone who think it is a
good business to do.
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich