WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsHello, I'm Park Hyunjae, working in PentaSecurity planning deparment.
Our company is providing WAPPLES, kind of WAF, and we want to contribute
WAFEC V2 Project.
However,I couldn't find information that whether WAFEC is in progress or
not.
Could you give me substantive information about WAFEC? (Whether WAFEC is in
progress or not, specific step to contribute...etc.)
Thank you.
TRUST FOR AN OPEN SOCIETY
박 현 재 HyunJae Park
인턴 | 기획실 기획1팀
Planning 1 Team
C. +82-10-2605-9280
F. +82-2-786-5281 gyswo123@gmail.com jyjang@pentasecurity.com
펜타시큐리티시스템(주) www.pentasecurity.com
Thank you for sanding me the reply.
However, Since the language used for reply was Chinese, I couldn't under
stand what you saying.
Please reply me in English or Korean.
2014-04-03 11:37 GMT+09:00 박현재 gyswo123@gmail.com:
Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment.
Our company is providing WAPPLES, kind of WAF, and we want to contribute
WAFEC V2 Project.
However,I couldn't find information that whether WAFEC is in progress or
not.
Could you give me substantive information about WAFEC? (Whether WAFEC is
in progress or not, specific step to contribute...etc.)
Thank you.
TRUST FOR AN OPEN SOCIETY
박 현 재 HyunJae Park
인턴 | 기획실 기획1팀
Planning 1 Team
C. +82-10-2605-9280
F. +82-2-786-5281 gyswo123@gmail.com jyjang@pentasecurity.com
펜타시큐리티시스템(주) www.pentasecurity.com
Park,
During a job interview I recommended to
http://www.gasystems.com.au/our-products/waf-a-ngfw/penta-security-waf that
I assess your product against WAFEC as part of the role.
I wasn't offered a job after the second interview however assessing WAFFLES
against WAFEC might indicated if anything was missed in the next release
[of WAFEC]?
On Thu, Apr 3, 2014 at 8:21 PM, 박현재 gyswo123@gmail.com wrote:
Thank you for sanding me the reply.
However, Since the language used for reply was Chinese, I couldn't under
stand what you saying.
Please reply me in English or Korean.
2014-04-03 11:37 GMT+09:00 박현재 gyswo123@gmail.com:
Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment.
Our company is providing WAPPLES, kind of WAF, and we want to contribute
WAFEC V2 Project.
However,I couldn't find information that whether WAFEC is in progress or
not.
Could you give me substantive information about WAFEC? (Whether WAFEC is
in progress or not, specific step to contribute...etc.)
Thank you.
TRUST FOR AN OPEN SOCIETY
박 현 재 HyunJae Park
인턴 | 기획실 기획1팀
Planning 1 Team
C. +82-10-2605-9280
F. +82-2-786-5281 gyswo123@gmail.com jyjang@pentasecurity.com
펜타시큐리티시스템(주) www.pentasecurity.com
--
Regards,
Christian Heinrich
Hi Hyunjae and project team,
I guess that after a year or more of little progress, I need to admit that we have stalled. The information as it appears on the OWASP project page ([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a bit more which was submitted and is waiting for publication for review, but nothing significant. While it is always high on my to do list, it is never high enough. WAFs and application security in general are not my day work but just a hobby and this has its toll. I think that project certainly need someone fresh to take over. Any volunteer?
~ Ofer
[1] https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
[2] http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of ???
Sent: Thursday, April 3, 2014 5:37 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Question about WAFEC.
Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment.
Our company is providing WAPPLES, kind of WAF, and we want to contribute WAFEC V2 Project.
However,I couldn't find information that whether WAFEC is in progress or not.
Could you give me substantive information about WAFEC? (Whether WAFEC is in progress or not, specific step to contribute...etc.)
Thank you.
TRUST FOR AN OPEN SOCIETY
박 현 재 HyunJae Park
인턴 | 기획실 기획1팀
Planning 1 Team
C. +82-10-2605-9280
F. +82-2-786-5281 gyswo123@gmail.com mailto:jyjang@pentasecurity.com
펜타시큐리티시스템(주) http://www.pentasecurity.com/ www.pentasecurity.com
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit that
we have stalled. The information as it appears on the OWASP project page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a
bit more which was submitted and is waiting for publication for review, but
nothing significant. While it is always high on my to do list, it is never
high enough. WAFs and application security in general are not my day work
but just a hobby and this has its toll. I think that project certainly need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit that
we have stalled. The information as it appears on the OWASP project page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a
bit more which was submitted and is waiting for publication for review, but
nothing significant. While it is always high on my to do list, it is never
high enough. WAFs and application security in general are not my day work
but just a hobby and this has its toll. I think that project certainly need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
Christian,
If is good to you, I'd like to join you to complete and review the WAFEC (I
have missed your last mail, sorry to not answer before).
And I expect to have some time in this months too.
Best regards,
Klaubert Herr
http://waf-fle.org
On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit
that
we have stalled. The information as it appears on the OWASP project page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I
have a
bit more which was submitted and is waiting for publication for review,
but
nothing significant. While it is always high on my to do list, it is
never
high enough. WAFs and application security in general are not my day
work
but just a hobby and this has its toll. I think that project certainly
need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Klaubert,
I have made the assumption that:
Your an experienced end user of ModSecurity i.e.
http://br.linkedin.com/pub/klaubert-herr/51/b58/128
... and also the developer of http://waf-fle.org/about/ i.e. a
ModSecurity Console which is GNUv3 licensed i.e.
https://github.com/klaubert/waf-fle/blob/master/LICENSE
I am seeking end users i.e. 1. above
Therefore, the conflict of interest would be 2. which could be
resolved if the other developers of competing ModSecurity Console(s),
such as http://www.jwall.org/, etc.
If this can't be resolved without dispute then I could credit your
[accepted] contribution as a ModSecurity "Independent Developer" (i.e.
not the vendor Trustwave) since I would like to declare any possible
bias, even unintended, within WAFECv2
The "Independent Developer" classification is different from the
contributions made by vendors themselves such as Imperva, Trustwave
and possibly https://www.ironbee.com/ i.e. Qualys, etc.
I have no issue if you would like to highlight that you contributed x,
y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
to click a link which would also provide a list of other possible
solution(s) that adhered to x, y and z of which the other vendors
would have to undertake their own evaluation with an independent
testing authority.
Does this seem reasonable?
On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:
Christian,
If is good to you, I'd like to join you to complete and review the WAFEC (I
have missed your last mail, sorry to not answer before).
And I expect to have some time in this months too.
Best regards,
Klaubert Herr
http://waf-fle.org
On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit
that
we have stalled. The information as it appears on the OWASP project
page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I
have a
bit more which was submitted and is waiting for publication for review,
but
nothing significant. While it is always high on my to do list, it is
never
high enough. WAFs and application security in general are not my day
work
but just a hobby and this has its toll. I think that project certainly
need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich
Hello,
Jumping in since this is asking a general WASC policy question.
Speaking on behalf of WASC, if an existing project leader wants to bring
in more people to assist this is ok. If the project leader wants to
entirely change leadership and remove themselves from the project, then
this will require an officer discussion.
In this case since Ofer is staying involved everything's kosher.
Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/
On Thu, 19 Jun 2014, Christian Heinrich wrote:
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit that
we have stalled. The information as it appears on the OWASP project page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a
bit more which was submitted and is waiting for publication for review, but
nothing significant. While it is always high on my to do list, it is never
high enough. WAFs and application security in general are not my day work
but just a hobby and this has its toll. I think that project certainly need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
I have made the assumption that:
Your an experienced end user of ModSecurity i.e.
http://br.linkedin.com/pub/klaubert-herr/51/b58/128
... and also the developer of http://waf-fle.org/about/ i.e. a
ModSecurity Console which is GNUv3 licensed i.e.
https://github.com/klaubert/waf-fle/blob/master/LICENSE
I am seeking end users i.e. 1. above
Therefore, the conflict of interest would be 2. which could be
resolved if the other developers of competing ModSecurity Console(s),
such as http://www.jwall.org/, etc.
If this can't be resolved without dispute then I could credit your
[accepted] contribution as a ModSecurity "Independent Developer" (i.e.
not the vendor Trustwave) since I would like to declare any possible
bias, even unintended, within WAFECv2
The "Independent Developer" classification is different from the
contributions made by vendors themselves such as Imperva, Trustwave
and possibly https://www.ironbee.com/ i.e. Qualys, etc.
I have no issue if you would like to highlight that you contributed x,
y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
to click a link which would also provide a list of other possible
solution(s) that adhered to x, y and z of which the other vendors
would have to undertake their own evaluation with an independent
testing authority.
Christian,
At WASC we are ok with individuals representing themselves however they
want, and in fact if they work at a vendor/services provider encourage the
disclosure.
Really there isn't a 'conflict of interest' for project contributors. If
there arises an issue it is up to the project leader to resolve openly on
the list. The only real area where 'conflict of interest' exists, is when
it comes to project leadership. A project leader/leaders CAN NOT lead a
project if there is a conflict of interest (employer, personal product
or service, etc). This is one of the things WASC has been good at enforcing,
and will continue to do so to ensure no bias.
Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/
Does this seem reasonable?
On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:
Christian,
If is good to you, I'd like to join you to complete and review the WAFEC (I
have missed your last mail, sorry to not answer before).
And I expect to have some time in this months too.
Best regards,
Klaubert Herr
http://waf-fle.org
On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit
that
we have stalled. The information as it appears on the OWASP project
page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I
have a
bit more which was submitted and is waiting for publication for review,
but
nothing significant. While it is always high on my to do list, it is
never
high enough. WAFs and application security in general are not my day
work
but just a hobby and this has its toll. I think that project certainly
need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org