wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsQuestion about WAFEC.
Robert,
On Fri, Jun 20, 2014 at 3:01 AM, Robert A. robert@webappsec.org wrote:
Christian,
At WASC we are ok with individuals representing themselves however they
want, and in fact if they work at a vendor/services provider encourage the
disclosure.
Really there isn't a 'conflict of interest' for project contributors. If there arises
an issue it is up to the project leader to resolve openly on the list. The only real > area where 'conflict of interest' exists, is when it comes to project leadership. A > project leader/leaders CAN NOT lead a project if there is a conflict of interest
(employer, personal product or service, etc). This is one of the things WASC
has been good at enforcing,
and will continue to do so to ensure no bias.
I have no doubt that Klaubert will make a significant contribution to
WAFEC based on his end user experience with ModSecurity but I want to
establish a code of conduct that is applicable, known and fair to
contributors beforehand so that WASC can avoid incidents related to
favouritism which are reoccur time and time again within OWASP i.e.
http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/,
http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html
(I noticed that Dinis Cruz deleted my comment to this Blog Post), etc
The other issue that I am attempting to manage is the unsubstantiated
rumour that WASC Project are nothing more than direct vendor promotion
e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html
I myself have no involvement within WAF technology at the moment as I
lost my job as an end user managing a WAF because I refused to endorse
vendor x over vendor y, a situation that could have avoided with the
application of WAFEC.
If two parties diff on their opinion then I will forward it to Ofer
for moderation because he is extremely fair and not associated with a
WAF vendor.
--
Regards,
Christian Heinrich
Christian,
I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be too
partial and lost the practical focus need by evaluators.
Acting mainly as consultant and end user (using open source and commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.
I expect avoid any biased judgement or conflict of interest, as always do.
I raised my hand in your call with my end user side in mind, but I am a
developer too.
I agree that checks and balances are needed to avoid biased opinion (when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not because
is trying to privilege the product. And all member (mainly those do writing
and make the revision) of WAFEC must be committed to avoid this.
How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As I
have no affiliation with any vendor or reseller, I speak by myself.
I understand your care, and respect this. And I'd like to contribute more
to WAFEC, in my best.
Best regards,
Klaubert Herr
Em 19/06/2014 01:29, "Christian Heinrich" christian.heinrich@cmlh.id.au
escreveu:
Klaubert,
I have made the assumption that:
-
Your an experienced end user of ModSecurity i.e.
http://br.linkedin.com/pub/klaubert-herr/51/b58/128 -
... and also the developer of http://waf-fle.org/about/ i.e. a
ModSecurity Console which is GNUv3 licensed i.e.
https://github.com/klaubert/waf-fle/blob/master/LICENSE
I am seeking end users i.e. 1. above
Therefore, the conflict of interest would be 2. which could be
resolved if the other developers of competing ModSecurity Console(s),
such as http://www.jwall.org/, etc.
If this can't be resolved without dispute then I could credit your
[accepted] contribution as a ModSecurity "Independent Developer" (i.e.
not the vendor Trustwave) since I would like to declare any possible
bias, even unintended, within WAFECv2
The "Independent Developer" classification is different from the
contributions made by vendors themselves such as Imperva, Trustwave
and possibly https://www.ironbee.com/ i.e. Qualys, etc.
I have no issue if you would like to highlight that you contributed x,
y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
to click a link which would also provide a list of other possible
solution(s) that adhered to x, y and z of which the other vendors
would have to undertake their own evaluation with an independent
testing authority.
Does this seem reasonable?
On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:
Christian,
If is good to you, I'd like to join you to complete and review the WAFEC
(I
have missed your last mail, sorry to not answer before).
And I expect to have some time in this months too.
Best regards,
Klaubert Herr
http://waf-fle.org
On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
Achim has also offered to assist.
It would appear that I have some spare cycles over July and August so
I would like to kick off then.
Is WASC and the community ok with this?
On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?
I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.
onwards as this has captured a lot of knowledge on the content
proposed for v2.
Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?
On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:
I guess that after a year or more of little progress, I need to admit
that
we have stalled. The information as it appears on the OWASP project
page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I
have a
bit more which was submitted and is waiting for publication for
review,
but
nothing significant. While it is always high on my to do list, it is
never
high enough. WAFs and application security in general are not my day
work
but just a hobby and this has its toll. I think that project
certainly
need
someone fresh to take over. Any volunteer?
--
Regards,
Christian Heinrich
Klaubert,
I am in a similar position to yourself, an end user and a developer
but not specific to WAF.
I think a simple small statement in your own words such as "Klaubert
is an end user located in Brazil and in his spare time develops
WAF-FLE which is an open source and free ModSecurity console"
discloses any conflict of interest while establishing technical
creditability at the same time and this is a win win for WAFEC too.
On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:
Christian,
I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be too
partial and lost the practical focus need by evaluators.
Acting mainly as consultant and end user (using open source and commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.
I expect avoid any biased judgement or conflict of interest, as always do. I
raised my hand in your call with my end user side in mind, but I am a
developer too.
I agree that checks and balances are needed to avoid biased opinion (when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not because
is trying to privilege the product. And all member (mainly those do writing
and make the revision) of WAFEC must be committed to avoid this.
How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As I
have no affiliation with any vendor or reseller, I speak by myself.
I understand your care, and respect this. And I'd like to contribute more to
WAFEC, in my best.
--
Regards,
Christian Heinrich
Christian,
Ok, in my words "Klaubert is an end user located in Brazil and in his spare
time develops WAF-FLE which is an open source and free ModSecurity console"
Best regards,
Klaubert
On Fri, Jun 20, 2014 at 3:50 AM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:
Klaubert,
I am in a similar position to yourself, an end user and a developer
but not specific to WAF.
I think a simple small statement in your own words such as "Klaubert
is an end user located in Brazil and in his spare time develops
WAF-FLE which is an open source and free ModSecurity console"
discloses any conflict of interest while establishing technical
creditability at the same time and this is a win win for WAFEC too.
On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:
Christian,
I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be
too
partial and lost the practical focus need by evaluators.
Acting mainly as consultant and end user (using open source and
commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.
I expect avoid any biased judgement or conflict of interest, as always
do. I
raised my hand in your call with my end user side in mind, but I am a
developer too.
I agree that checks and balances are needed to avoid biased opinion
(when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not
because
is trying to privilege the product. And all member (mainly those do
writing
and make the revision) of WAFEC must be committed to avoid this.
How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As
I
have no affiliation with any vendor or reseller, I speak by myself.
I understand your care, and respect this. And I'd like to contribute
more to
WAFEC, in my best.
--
Regards,
Christian Heinrich
I have no doubt that Klaubert will make a significant contribution to
WAFEC based on his end user experience with ModSecurity but I want to
establish a code of conduct that is applicable, known and fair to
contributors beforehand so that WASC can avoid incidents related to
favouritism which are reoccur time and time again within OWASP i.e.
http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/,
http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html
(I noticed that Dinis Cruz deleted my comment to this Blog Post), etc
WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors'
on their background is the right approach. If you observe an individual
who 'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.
As always, if you see bias in a direction of a project,
call out the specific instance.
The other issue that I am attempting to manage is the unsubstantiated
rumour that WASC Project are nothing more than direct vendor promotion
e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html
This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.
If two parties diff on their opinion then I will forward it to Ofer
for moderation because he is extremely fair and not associated with a
WAF vendor.
That is Ofer's job.
Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/
Robert,
On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:
WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors' on
their background is the right approach. If you observe an individual who
'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.
As always, if you see bias in a direction of a project, call out the
specific instance.
I don't believe this type of situation would arise but I will escalate
it on to Ofer to resolve.
Plus, it would be up to the various WAF vendors, including FOSS, to
highlight if WAFEC is bias towards a particular vendor(s) feature or
feature "x" is called feature "y" in their product during the Release
Candidate (RC) period i.e. when the draft is published to a wider
audience.
I am not into calling people out on mailing list as I prefer a softer
less direct approach because it usually a simple misunderstanding.
I believe there is some merit in listing experienced end users as
contributors because this demonstrates to the reader that WAFEC was
created by end users for end users. Vendors should also be listed as
it demonstrates that their awareness of WAFEC.
On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:
This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.
Unfortunately our reputation, although underserved and created by
rumour represents our first impression.
Hence the reason I have raised this now rather than when it becomes to
late to address.
Let's continue this discussion if we need to escalate Ofer because it
will become a WASC policy item rather than contributing to the next
release of WAFEC itself.
--
Regards,
Christian Heinrich
On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:
WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors' on
their background is the right approach. If you observe an individual who
'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.
As always, if you see bias in a direction of a project, call out the
specific instance.
I don't believe this type of situation would arise but I will escalate
it on to Ofer to resolve.
Great. If you ever escalate a 'bias' or 'conflict of interest' issue to a
project leader, and don't believe it's being properly addressed bring it up on the list.
If it's just a matter of personal opinion about a project direction, then
it's up to the project leader to ultimately decide.
Plus, it would be up to the various WAF vendors, including FOSS, to
highlight if WAFEC is bias towards a particular vendor(s) feature or
feature "x" is called feature "y" in their product during the Release
Candidate (RC) period i.e. when the draft is published to a wider
audience.
Precisely. No vendor wants marketing FUD from a competitor in a standard.
So far WASC has been really good at avoiding this situation. People keep
each other in check in this way.
I believe there is some merit in listing experienced end users as
contributors because this demonstrates to the reader that WAFEC was
created by end users for end users. Vendors should also be listed as
it demonstrates that their awareness of WAFEC.
We should include this in the final deliverable, end users don't
really read the project lists. How this is to be represented can be
discussed but is ultimately the decision of the project lead.
On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:
This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.
Unfortunately our reputation, although underserved and created by
rumour represents our first impression.
We'll agree to disagree. WASC has not had nearly the drama of OWASP, and
we're going to keep it that way. Facts dictate reality as far as I, and a
few other WASC officers are concerned who I have spoken to this about.
Hence the reason I have raised this now rather than when it becomes to
late to address.
I really do appreciate the care you're putting in to making this a
solid project. Please just remember we are a seperate organization than
some of the others you've worked with and should be treated as such.
Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/
Robert,
On Sat, Jun 21, 2014 at 8:21 AM, Robert A. robert@webappsec.org wrote:
We'll agree to disagree. WASC has not had nearly the drama of OWASP, and
we're going to keep it that way. Facts dictate reality as far as I, and a
few other WASC officers are concerned who I have spoken to this about.
On Sat, Jun 21, 2014 at 8:21 AM, Robert A. robert@webappsec.org wrote:
I really do appreciate the care you're putting in to making this a solid
project. Please just remember we are a seperate organization than some of
the others you've worked with and should be treated as such.
Josh Sokol (OWASP Board Member) independently reviewed the root cause
of the my dispute with OWASP and his opinion is that Dinis Cruz's
intent was nothing more than a personal attack according to
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html
http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
... since people then ask :)
The reason I unsubscribe my @owasp.org e-mail address and start
contributing to WASC from my @cmlh.id.au was due to the incorrect
opinion they held of me was the same incorrect opinion OWASP held for
WASC.
This is also the reason why I moved from positively contributing to
the OWASP Top 10 to http://cwe.mitre.org/top25/contributors.html too.
Furthermore, I still maintain a relationship with people who have
positively contributed to OWASP in the past but are deluded with the
preferential treatment of OWASP Board Members vested self interests
and I encourage them to consider contributing to WASC, SafeCODE, etc
where their contribution is valued.
I am extremely grateful for the respect and welcome that WASC has
shown me and intend to treat others with the same courtesy, including
people still associated with OWASP.
--
Regards,
Christian Heinrich
Josh Sokol (OWASP Board Member) independently reviewed the root cause
of the my dispute with OWASP and his opinion is that Dinis Cruz's
intent was nothing more than a personal attack according to
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html
http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
... since people then ask :)
Honestly I ask you don't bring the drama here, let's just leave it
elsewhere. We don't need to discuss it at WASC.
I am extremely grateful for the respect and welcome that WASC has
shown me and intend to treat others with the same courtesy, including
Sounds good.
Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/