Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment. Our company is providing WAPPLES, kind of WAF, and we want to contribute WAFEC V2 Project. However,I couldn't find information that whether WAFEC is in progress or not. Could you give me substantive information about WAFEC? (Whether WAFEC is in progress or not, specific step to contribute...etc.) Thank you. TRUST FOR AN OPEN SOCIETY *박* *현* *재* HyunJae Park 인턴 | 기획실 기획1팀 Planning 1 Team *C.* +82-10-2605-9280 *F.* +82-2-786-5281 gyswo123@gmail.com <jyjang@pentasecurity.com> 펜타시큐리티시스템(주) www.pentasecurity.com

Thank you for sanding me the reply. However, Since the language used for reply was Chinese, I couldn't under stand what you saying. Please reply me in English or Korean. 2014-04-03 11:37 GMT+09:00 박현재 <gyswo123@gmail.com>: > Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment. > > Our company is providing WAPPLES, kind of WAF, and we want to contribute > WAFEC V2 Project. > > However,I couldn't find information that whether WAFEC is in progress or > not. > > Could you give me substantive information about WAFEC? (Whether WAFEC is > in progress or not, specific step to contribute...etc.) > > Thank you. > > > > > > > > > > > > > > TRUST FOR AN OPEN SOCIETY > > > > > > *박* *현* *재* HyunJae Park > > > > 인턴 | 기획실 기획1팀 > > Planning 1 Team > > *C.* +82-10-2605-9280 > > *F.* +82-2-786-5281 gyswo123@gmail.com <jyjang@pentasecurity.com> > > > > 펜타시큐리티시스템(주) www.pentasecurity.com > > > > >

Park, During a job interview I recommended to http://www.gasystems.com.au/our-products/waf-a-ngfw/penta-security-waf that I assess your product against WAFEC as part of the role. I wasn't offered a job after the second interview however assessing WAFFLES against WAFEC might indicated if anything was missed in the next release [of WAFEC]? On Thu, Apr 3, 2014 at 8:21 PM, 박현재 <gyswo123@gmail.com> wrote: > Thank you for sanding me the reply. > However, Since the language used for reply was Chinese, I couldn't under > stand what you saying. > Please reply me in English or Korean. > > > 2014-04-03 11:37 GMT+09:00 박현재 <gyswo123@gmail.com>: > > Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment. >> >> Our company is providing WAPPLES, kind of WAF, and we want to contribute >> WAFEC V2 Project. >> >> However,I couldn't find information that whether WAFEC is in progress or >> not. >> >> Could you give me substantive information about WAFEC? (Whether WAFEC is >> in progress or not, specific step to contribute...etc.) >> >> Thank you. >> >> >> >> >> >> >> >> >> >> >> >> >> >> TRUST FOR AN OPEN SOCIETY >> >> >> >> >> >> *박* *현* *재* HyunJae Park >> >> >> >> 인턴 | 기획실 기획1팀 >> >> Planning 1 Team >> >> *C.* +82-10-2605-9280 >> >> *F.* +82-2-786-5281 gyswo123@gmail.com <jyjang@pentasecurity.com> >> >> >> >> 펜타시큐리티시스템(주) www.pentasecurity.com >> >> >> >> >> > > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > -- Regards, Christian Heinrich http://cmlh.id.au/contact

Hi Hyunjae and project team, I guess that after a year or more of little progress, I need to admit that we have stalled. The information as it appears on the OWASP project page ([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a bit more which was submitted and is waiting for publication for review, but nothing significant. While it is always high on my to do list, it is never high enough. WAFs and application security in general are not my day work but just a hobby and this has its toll. I think that project certainly need someone fresh to take over. Any volunteer? ~ Ofer [1] https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project [2] http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of ??? Sent: Thursday, April 3, 2014 5:37 AM To: wasc-wafec@lists.webappsec.org Subject: [WASC-WAFEC] Question about WAFEC. Hello, I'm Park Hyunjae, working in PentaSecurity planning deparment. Our company is providing WAPPLES, kind of WAF, and we want to contribute WAFEC V2 Project. However,I couldn't find information that whether WAFEC is in progress or not. Could you give me substantive information about WAFEC? (Whether WAFEC is in progress or not, specific step to contribute...etc.) Thank you. TRUST FOR AN OPEN SOCIETY 박 현 재 HyunJae Park 인턴 | 기획실 기획1팀 Planning 1 Team C. +82-10-2605-9280 F. +82-2-786-5281 gyswo123@gmail.com <mailto:jyjang@pentasecurity.com> 펜타시큐리티시스템(주) <http://www.pentasecurity.com/> www.pentasecurity.com

Ofer, I would like to see WAFEC v2 released in 2014 and would like to share leadership with two (or more) end users for objectivity? I would like to see the other people volunteering commit to reviewing the mail archive from the kick off onwards i.e. http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html onwards as this has captured a lot of knowledge on the content proposed for v2. Is there a formal process defined within http://www.webappsec.org/aboutus.shtml or elsewhere? On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: > I guess that after a year or more of little progress, I need to admit that > we have stalled. The information as it appears on the OWASP project page > ([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a > bit more which was submitted and is waiting for publication for review, but > nothing significant. While it is always high on my to do list, it is never > high enough. WAFs and application security in general are not my day work > but just a hobby and this has its toll. I think that project certainly need > someone fresh to take over. Any volunteer? -- Regards, Christian Heinrich http://cmlh.id.au/contact

Ofer, Achim has also offered to assist. It would appear that I have some spare cycles over July and August so I would like to kick off then. Is WASC and the community ok with this? On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich <christian.heinrich@cmlh.id.au> wrote: > Ofer, > > I would like to see WAFEC v2 released in 2014 and would like to share > leadership with two (or more) end users for objectivity? > > I would like to see the other people volunteering commit to reviewing > the mail archive from the kick off onwards i.e. > http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html > onwards as this has captured a lot of knowledge on the content > proposed for v2. > > Is there a formal process defined within > http://www.webappsec.org/aboutus.shtml or elsewhere? > > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: >> I guess that after a year or more of little progress, I need to admit that >> we have stalled. The information as it appears on the OWASP project page >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a >> bit more which was submitted and is waiting for publication for review, but >> nothing significant. While it is always high on my to do list, it is never >> high enough. WAFs and application security in general are not my day work >> but just a hobby and this has its toll. I think that project certainly need >> someone fresh to take over. Any volunteer? -- Regards, Christian Heinrich http://cmlh.id.au/contact

Christian, If is good to you, I'd like to join you to complete and review the WAFEC (I have missed your last mail, sorry to not answer before). And I expect to have some time in this months too. Best regards, Klaubert Herr http://waf-fle.org On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich < christian.heinrich@cmlh.id.au> wrote: > Ofer, > > Achim has also offered to assist. > > It would appear that I have some spare cycles over July and August so > I would like to kick off then. > > Is WASC and the community ok with this? > > On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich > <christian.heinrich@cmlh.id.au> wrote: > > Ofer, > > > > I would like to see WAFEC v2 released in 2014 and would like to share > > leadership with two (or more) end users for objectivity? > > > > I would like to see the other people volunteering commit to reviewing > > the mail archive from the kick off onwards i.e. > > > http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html > > onwards as this has captured a lot of knowledge on the content > > proposed for v2. > > > > Is there a formal process defined within > > http://www.webappsec.org/aboutus.shtml or elsewhere? > > > > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: > >> I guess that after a year or more of little progress, I need to admit > that > >> we have stalled. The information as it appears on the OWASP project page > >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I > have a > >> bit more which was submitted and is waiting for publication for review, > but > >> nothing significant. While it is always high on my to do list, it is > never > >> high enough. WAFs and application security in general are not my day > work > >> but just a hobby and this has its toll. I think that project certainly > need > >> someone fresh to take over. Any volunteer? > > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >

Klaubert, I have made the assumption that: 1. Your an experienced end user of ModSecurity i.e. http://br.linkedin.com/pub/klaubert-herr/51/b58/128 2. ... and also the developer of http://waf-fle.org/about/ i.e. a ModSecurity Console which is GNUv3 licensed i.e. https://github.com/klaubert/waf-fle/blob/master/LICENSE I am seeking end users i.e. 1. above Therefore, the conflict of interest would be 2. which could be resolved if the other developers of competing ModSecurity Console(s), such as http://www.jwall.org/, etc. If this can't be resolved without dispute then I could credit your [accepted] contribution as a ModSecurity "Independent Developer" (i.e. not the vendor Trustwave) since I would like to declare any possible bias, even unintended, within WAFECv2 The "Independent Developer" classification is different from the contributions made by vendors themselves such as Imperva, Trustwave and possibly https://www.ironbee.com/ i.e. Qualys, etc. I have no issue if you would like to highlight that you contributed x, y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able to click a link which would also provide a list of other possible solution(s) that adhered to x, y and z of which the other vendors would have to undertake their own evaluation with an independent testing authority. Does this seem reasonable? On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira <klaubert@gmail.com> wrote: > Christian, > > If is good to you, I'd like to join you to complete and review the WAFEC (I > have missed your last mail, sorry to not answer before). > And I expect to have some time in this months too. > > Best regards, > > Klaubert Herr > http://waf-fle.org > > > On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich > <christian.heinrich@cmlh.id.au> wrote: >> >> Ofer, >> >> Achim has also offered to assist. >> >> It would appear that I have some spare cycles over July and August so >> I would like to kick off then. >> >> Is WASC and the community ok with this? >> >> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich >> <christian.heinrich@cmlh.id.au> wrote: >> > Ofer, >> > >> > I would like to see WAFEC v2 released in 2014 and would like to share >> > leadership with two (or more) end users for objectivity? >> > >> > I would like to see the other people volunteering commit to reviewing >> > the mail archive from the kick off onwards i.e. >> > >> > http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html >> > onwards as this has captured a lot of knowledge on the content >> > proposed for v2. >> > >> > Is there a formal process defined within >> > http://www.webappsec.org/aboutus.shtml or elsewhere? >> > >> > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: >> >> I guess that after a year or more of little progress, I need to admit >> >> that >> >> we have stalled. The information as it appears on the OWASP project >> >> page >> >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I >> >> have a >> >> bit more which was submitted and is waiting for publication for review, >> >> but >> >> nothing significant. While it is always high on my to do list, it is >> >> never >> >> high enough. WAFs and application security in general are not my day >> >> work >> >> but just a hobby and this has its toll. I think that project certainly >> >> need >> >> someone fresh to take over. Any volunteer? >> >> >> >> >> -- >> Regards, >> Christian Heinrich >> >> http://cmlh.id.au/contact >> >> _______________________________________________ >> wasc-wafec mailing list >> wasc-wafec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > -- Regards, Christian Heinrich http://cmlh.id.au/contact

Hello, Jumping in since this is asking a general WASC policy question. Speaking on behalf of WASC, if an existing project leader wants to bring in more people to assist this is ok. If the project leader wants to entirely change leadership and remove themselves from the project, then this will require an officer discussion. In this case since Ofer is staying involved everything's kosher. Regards, Robert Auger WASC Co Founder/WASC Officer http://www.webappsec.org/ On Thu, 19 Jun 2014, Christian Heinrich wrote: > Ofer, > > Achim has also offered to assist. > > It would appear that I have some spare cycles over July and August so > I would like to kick off then. > > Is WASC and the community ok with this? > > On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich > <christian.heinrich@cmlh.id.au> wrote: >> Ofer, >> >> I would like to see WAFEC v2 released in 2014 and would like to share >> leadership with two (or more) end users for objectivity? >> >> I would like to see the other people volunteering commit to reviewing >> the mail archive from the kick off onwards i.e. >> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html >> onwards as this has captured a lot of knowledge on the content >> proposed for v2. >> >> Is there a formal process defined within >> http://www.webappsec.org/aboutus.shtml or elsewhere? >> >> On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: >>> I guess that after a year or more of little progress, I need to admit that >>> we have stalled. The information as it appears on the OWASP project page >>> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I have a >>> bit more which was submitted and is waiting for publication for review, but >>> nothing significant. While it is always high on my to do list, it is never >>> high enough. WAFs and application security in general are not my day work >>> but just a hobby and this has its toll. I think that project certainly need >>> someone fresh to take over. Any volunteer? > > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >

> I have made the assumption that: > > 1. Your an experienced end user of ModSecurity i.e. > http://br.linkedin.com/pub/klaubert-herr/51/b58/128 > > 2. ... and also the developer of http://waf-fle.org/about/ i.e. a > ModSecurity Console which is GNUv3 licensed i.e. > https://github.com/klaubert/waf-fle/blob/master/LICENSE > > I am seeking end users i.e. 1. above > > Therefore, the conflict of interest would be 2. which could be > resolved if the other developers of competing ModSecurity Console(s), > such as http://www.jwall.org/, etc. > > If this can't be resolved without dispute then I could credit your > [accepted] contribution as a ModSecurity "Independent Developer" (i.e. > not the vendor Trustwave) since I would like to declare any possible > bias, even unintended, within WAFECv2 > > The "Independent Developer" classification is different from the > contributions made by vendors themselves such as Imperva, Trustwave > and possibly https://www.ironbee.com/ i.e. Qualys, etc. > > I have no issue if you would like to highlight that you contributed x, > y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able > to click a link which would also provide a list of other possible > solution(s) that adhered to x, y and z of which the other vendors > would have to undertake their own evaluation with an independent > testing authority. Christian, At WASC we are ok with individuals representing themselves however they want, and in fact if they work at a vendor/services provider encourage the disclosure. Really there isn't a 'conflict of interest' for project contributors. If there arises an issue it is up to the project leader to resolve openly on the list. The only real area where 'conflict of interest' exists, is when it comes to project leadership. A project leader/leaders CAN NOT lead a project if there is a conflict of interest (employer, personal product or service, etc). This is one of the things WASC has been good at enforcing, and will continue to do so to ensure no bias. Regards, Robert Auger WASC Co Founder/WASC Officer http://www.webappsec.org/ > > Does this seem reasonable? > > On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira > <klaubert@gmail.com> wrote: >> Christian, >> >> If is good to you, I'd like to join you to complete and review the WAFEC (I >> have missed your last mail, sorry to not answer before). >> And I expect to have some time in this months too. >> >> Best regards, >> >> Klaubert Herr >> http://waf-fle.org >> >> >> On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich >> <christian.heinrich@cmlh.id.au> wrote: >>> >>> Ofer, >>> >>> Achim has also offered to assist. >>> >>> It would appear that I have some spare cycles over July and August so >>> I would like to kick off then. >>> >>> Is WASC and the community ok with this? >>> >>> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich >>> <christian.heinrich@cmlh.id.au> wrote: >>>> Ofer, >>>> >>>> I would like to see WAFEC v2 released in 2014 and would like to share >>>> leadership with two (or more) end users for objectivity? >>>> >>>> I would like to see the other people volunteering commit to reviewing >>>> the mail archive from the kick off onwards i.e. >>>> >>>> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html >>>> onwards as this has captured a lot of knowledge on the content >>>> proposed for v2. >>>> >>>> Is there a formal process defined within >>>> http://www.webappsec.org/aboutus.shtml or elsewhere? >>>> >>>> On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: >>>>> I guess that after a year or more of little progress, I need to admit >>>>> that >>>>> we have stalled. The information as it appears on the OWASP project >>>>> page >>>>> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I >>>>> have a >>>>> bit more which was submitted and is waiting for publication for review, >>>>> but >>>>> nothing significant. While it is always high on my to do list, it is >>>>> never >>>>> high enough. WAFs and application security in general are not my day >>>>> work >>>>> but just a hobby and this has its toll. I think that project certainly >>>>> need >>>>> someone fresh to take over. Any volunteer? >>> >>> >>> >>> >>> -- >>> Regards, >>> Christian Heinrich >>> >>> http://cmlh.id.au/contact >>> >>> _______________________________________________ >>> wasc-wafec mailing list >>> wasc-wafec@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >> >> > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >