wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

View all threads

Question about WAFEC.

CH
Christian Heinrich
Fri, Jun 20, 2014 2:16 AM

Robert,

On Fri, Jun 20, 2014 at 3:01 AM, Robert A. robert@webappsec.org wrote:

Christian,
At WASC we are ok with individuals representing themselves however they
want, and in fact if they work at a vendor/services provider encourage the
disclosure.

Really there isn't a 'conflict of interest' for project contributors. If there arises
an issue it is up to the project leader to resolve openly on the list. The only real > area where 'conflict of interest' exists, is when it comes to project leadership. A > project leader/leaders CAN NOT lead a project if there is a conflict of interest
(employer, personal product or service, etc). This is one of the things WASC
has been good at enforcing,
and will continue to do so to ensure no bias.

I have no doubt that Klaubert will make a significant contribution to
WAFEC based on his end user experience with ModSecurity but I want to
establish a code of conduct that is applicable, known and fair to
contributors beforehand so that WASC can avoid incidents related to
favouritism which are reoccur time and time again within OWASP i.e.
http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/,
http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html
(I noticed that Dinis Cruz deleted my comment to this Blog Post), etc

The other issue that I am attempting to manage is the unsubstantiated
rumour that WASC Project are nothing more than direct vendor promotion
e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html

I myself have no involvement within WAF technology at the moment as I
lost my job as an end user managing a WAF because I refused to endorse
vendor x over vendor y, a situation that could have avoided with the
application of WAFEC.

If two parties diff on their opinion then I will forward it to Ofer
for moderation because he is extremely fair and not associated with a
WAF vendor.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Robert, On Fri, Jun 20, 2014 at 3:01 AM, Robert A. <robert@webappsec.org> wrote: > Christian, > At WASC we are ok with individuals representing themselves however they > want, and in fact if they work at a vendor/services provider encourage the > disclosure. > > Really there isn't a 'conflict of interest' for project contributors. If there arises > an issue it is up to the project leader to resolve openly on the list. The only real > area where 'conflict of interest' exists, is when it comes to project leadership. A > project leader/leaders CAN NOT lead a project if there is a conflict of interest > (employer, personal product or service, etc). This is one of the things WASC > has been good at enforcing, > and will continue to do so to ensure no bias. I have no doubt that Klaubert will make a significant contribution to WAFEC based on his end user experience with ModSecurity but I want to establish a code of conduct that is applicable, known and fair to contributors beforehand so that WASC can avoid incidents related to favouritism which are reoccur time and time again within OWASP i.e. http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/, http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html, http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html (I noticed that Dinis Cruz deleted my comment to this Blog Post), etc The other issue that I am attempting to manage is the unsubstantiated rumour that WASC Project are nothing more than direct vendor promotion e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html I myself have no involvement within WAF technology at the moment as I lost my job as an end user managing a WAF because I refused to endorse vendor x over vendor y, a situation that could have avoided with the application of WAFEC. If two parties diff on their opinion then I will forward it to Ofer for moderation because he is extremely fair and not associated with a WAF vendor. -- Regards, Christian Heinrich http://cmlh.id.au/contact
KH
Klaubert Herr da Silveira
Fri, Jun 20, 2014 4:08 AM

Christian,

I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be too
partial and lost the practical focus need by evaluators.

Acting mainly as consultant and end user (using open source and commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.

I expect avoid any biased judgement or conflict of interest, as always do.
I raised my hand in your call with my end user side in mind, but I am a
developer too.

I agree that checks and balances are needed to avoid biased opinion (when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not because
is trying to privilege the product. And all member (mainly those do writing
and make the revision) of WAFEC must be committed to avoid this.

How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As I
have no affiliation with any vendor or reseller, I speak by myself.

I understand your care, and respect this. And I'd like to contribute more
to WAFEC, in my best.

Best regards,

Klaubert Herr

Em 19/06/2014 01:29, "Christian Heinrich" christian.heinrich@cmlh.id.au
escreveu:

Klaubert,

I have made the assumption that:

  1. Your an experienced end user of ModSecurity i.e.
    http://br.linkedin.com/pub/klaubert-herr/51/b58/128

  2. ... and also the developer of http://waf-fle.org/about/ i.e. a
    ModSecurity Console which is GNUv3 licensed i.e.
    https://github.com/klaubert/waf-fle/blob/master/LICENSE

I am seeking end users i.e. 1. above

Therefore, the conflict of interest would be 2. which could be
resolved if the other developers of competing ModSecurity Console(s),
such as http://www.jwall.org/, etc.

If this can't be resolved without dispute then I could credit your
[accepted] contribution as a ModSecurity "Independent Developer" (i.e.
not the vendor Trustwave) since I would like to declare any possible
bias, even unintended, within WAFECv2

The "Independent Developer" classification is different from the
contributions made by vendors themselves such as Imperva, Trustwave
and possibly https://www.ironbee.com/ i.e. Qualys, etc.

I have no issue if you would like to highlight that you contributed x,
y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able
to click a link which would also provide a list of other possible
solution(s) that adhered to x, y and z of which the other vendors
would have to undertake their own evaluation with an independent
testing authority.

Does this seem reasonable?

On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:

Christian,

If is good to you, I'd like to join you to complete and review the WAFEC

(I

have missed your last mail, sorry to not answer before).
And I expect to have some time in this months too.

Best regards,

Klaubert Herr
http://waf-fle.org

On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:

Ofer,

Achim has also offered to assist.

It would appear that I have some spare cycles over July and August so
I would like to kick off then.

Is WASC and the community ok with this?

On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:

Ofer,

I would like to see WAFEC v2 released in 2014 and would like to share
leadership with two (or more) end users for objectivity?

I would like to see the other people volunteering commit to reviewing
the mail archive from the kick off onwards i.e.

onwards as this has captured a lot of knowledge on the content
proposed for v2.

Is there a formal process defined within
http://www.webappsec.org/aboutus.shtml or elsewhere?

On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf ofer@shezaf.com wrote:

I guess that after a year or more of little progress, I need to admit
that
we have stalled. The information as it appears on the OWASP project
page
([1]) and the WASC wiki page ([2]) is mostly the latest available. I
have a
bit more which was submitted and is waiting for publication for

review,

but
nothing significant. While it is always high on my to do list, it is
never
high enough. WAFs and application security in general are not my day
work
but just a hobby and this has its toll. I think that project

certainly

need
someone fresh to take over. Any volunteer?

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact


wasc-wafec mailing list
wasc-wafec@lists.webappsec.org

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Christian, I really like of your propose and care to seek end user contributions to continue WAFEC v2, an evaluation criteria made mainly by vendors can be too partial and lost the practical focus need by evaluators. Acting mainly as consultant and end user (using open source and commercial WAF's), and waf-fle developer in spare time, I came in the past to Ofer Shezaf, to contribute as a reviewer. I expect avoid any biased judgement or conflict of interest, as always do. I raised my hand in your call with my end user side in mind, but I am a developer too. I agree that checks and balances are needed to avoid biased opinion (when I joined WAFEC I saw few users, and this is bad), and make end user participate more is a good start point, but is not guarantee, once I (and anyone) as end users can defend some vendor/product point of view (just because he/she see the WAF through the lens of product A or B), not because is trying to privilege the product. And all member (mainly those do writing and make the revision) of WAFEC must be committed to avoid this. How to refer to me? "Independent developer", "End user/Independent developer" or any other appropriated description, more clear, better. As I have no affiliation with any vendor or reseller, I speak by myself. I understand your care, and respect this. And I'd like to contribute more to WAFEC, in my best. Best regards, Klaubert Herr Em 19/06/2014 01:29, "Christian Heinrich" <christian.heinrich@cmlh.id.au> escreveu: > Klaubert, > > I have made the assumption that: > > 1. Your an experienced end user of ModSecurity i.e. > http://br.linkedin.com/pub/klaubert-herr/51/b58/128 > > 2. ... and also the developer of http://waf-fle.org/about/ i.e. a > ModSecurity Console which is GNUv3 licensed i.e. > https://github.com/klaubert/waf-fle/blob/master/LICENSE > > I am seeking end users i.e. 1. above > > Therefore, the conflict of interest would be 2. which could be > resolved if the other developers of competing ModSecurity Console(s), > such as http://www.jwall.org/, etc. > > If this can't be resolved without dispute then I could credit your > [accepted] contribution as a ModSecurity "Independent Developer" (i.e. > not the vendor Trustwave) since I would like to declare any possible > bias, even unintended, within WAFECv2 > > The "Independent Developer" classification is different from the > contributions made by vendors themselves such as Imperva, Trustwave > and possibly https://www.ironbee.com/ i.e. Qualys, etc. > > I have no issue if you would like to highlight that you contributed x, > y and z to WAFECv2 on http://waf-fle.org/ of which the reader was able > to click a link which would also provide a list of other possible > solution(s) that adhered to x, y and z of which the other vendors > would have to undertake their own evaluation with an independent > testing authority. > > Does this seem reasonable? > > On Thu, Jun 19, 2014 at 12:06 PM, Klaubert Herr da Silveira > <klaubert@gmail.com> wrote: > > Christian, > > > > If is good to you, I'd like to join you to complete and review the WAFEC > (I > > have missed your last mail, sorry to not answer before). > > And I expect to have some time in this months too. > > > > Best regards, > > > > Klaubert Herr > > http://waf-fle.org > > > > > > On Wed, Jun 18, 2014 at 10:51 PM, Christian Heinrich > > <christian.heinrich@cmlh.id.au> wrote: > >> > >> Ofer, > >> > >> Achim has also offered to assist. > >> > >> It would appear that I have some spare cycles over July and August so > >> I would like to kick off then. > >> > >> Is WASC and the community ok with this? > >> > >> On Mon, May 5, 2014 at 11:53 AM, Christian Heinrich > >> <christian.heinrich@cmlh.id.au> wrote: > >> > Ofer, > >> > > >> > I would like to see WAFEC v2 released in 2014 and would like to share > >> > leadership with two (or more) end users for objectivity? > >> > > >> > I would like to see the other people volunteering commit to reviewing > >> > the mail archive from the kick off onwards i.e. > >> > > >> > > http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/date.html > >> > onwards as this has captured a lot of knowledge on the content > >> > proposed for v2. > >> > > >> > Is there a formal process defined within > >> > http://www.webappsec.org/aboutus.shtml or elsewhere? > >> > > >> > On Mon, Apr 7, 2014 at 7:53 AM, Ofer Shezaf <ofer@shezaf.com> wrote: > >> >> I guess that after a year or more of little progress, I need to admit > >> >> that > >> >> we have stalled. The information as it appears on the OWASP project > >> >> page > >> >> ([1]) and the WASC wiki page ([2]) is mostly the latest available. I > >> >> have a > >> >> bit more which was submitted and is waiting for publication for > review, > >> >> but > >> >> nothing significant. While it is always high on my to do list, it is > >> >> never > >> >> high enough. WAFs and application security in general are not my day > >> >> work > >> >> but just a hobby and this has its toll. I think that project > certainly > >> >> need > >> >> someone fresh to take over. Any volunteer? > >> > >> > >> > >> > >> -- > >> Regards, > >> Christian Heinrich > >> > >> http://cmlh.id.au/contact > >> > >> _______________________________________________ > >> wasc-wafec mailing list > >> wasc-wafec@lists.webappsec.org > >> > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > > > > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact >
CH
Christian Heinrich
Fri, Jun 20, 2014 6:50 AM

Klaubert,

I am in a similar position to yourself, an end user and a developer
but not specific to WAF.

I think a simple small statement in your own words such as "Klaubert
is an end user located in Brazil and in his spare time develops
WAF-FLE which is an open source and free ModSecurity console"
discloses any conflict of interest while establishing technical
creditability at the same time and this is a win win for WAFEC too.

On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:

Christian,

I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be too
partial and lost the practical focus need by evaluators.

Acting mainly as consultant and end user (using open source and commercial
WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.

I expect avoid any biased judgement or conflict of interest, as always do. I
raised my hand in your call with my end user side in mind, but I am a
developer too.

I agree that checks and balances are needed to avoid biased opinion (when I
joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not because
is trying to privilege the product. And all member (mainly those do writing
and make the revision) of WAFEC must be committed to avoid this.

How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As I
have no affiliation with any vendor or reseller, I speak by myself.

I understand your care, and respect this. And I'd like to contribute more to
WAFEC, in my best.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Klaubert, I am in a similar position to yourself, an end user and a developer but not specific to WAF. I think a simple small statement in your own words such as "Klaubert is an end user located in Brazil and in his spare time develops WAF-FLE which is an open source and free ModSecurity console" discloses any conflict of interest while establishing technical creditability at the same time and this is a win win for WAFEC too. On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira <klaubert@gmail.com> wrote: > Christian, > > I really like of your propose and care to seek end user contributions to > continue WAFEC v2, an evaluation criteria made mainly by vendors can be too > partial and lost the practical focus need by evaluators. > > Acting mainly as consultant and end user (using open source and commercial > WAF's), and waf-fle developer in spare time, I came in the past to Ofer > Shezaf, to contribute as a reviewer. > > I expect avoid any biased judgement or conflict of interest, as always do. I > raised my hand in your call with my end user side in mind, but I am a > developer too. > > I agree that checks and balances are needed to avoid biased opinion (when I > joined WAFEC I saw few users, and this is bad), and make end user > participate more is a good start point, but is not guarantee, once I (and > anyone) as end users can defend some vendor/product point of view (just > because he/she see the WAF through the lens of product A or B), not because > is trying to privilege the product. And all member (mainly those do writing > and make the revision) of WAFEC must be committed to avoid this. > > How to refer to me? "Independent developer", "End user/Independent > developer" or any other appropriated description, more clear, better. As I > have no affiliation with any vendor or reseller, I speak by myself. > > I understand your care, and respect this. And I'd like to contribute more to > WAFEC, in my best. -- Regards, Christian Heinrich http://cmlh.id.au/contact
KH
Klaubert Herr da Silveira
Fri, Jun 20, 2014 12:18 PM

Christian,

Ok, in my words "Klaubert is an end user located in Brazil and in his spare
time develops WAF-FLE which is an open source and free ModSecurity console"

Best regards,

Klaubert

On Fri, Jun 20, 2014 at 3:50 AM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:

Klaubert,

I am in a similar position to yourself, an end user and a developer
but not specific to WAF.

I think a simple small statement in your own words such as "Klaubert
is an end user located in Brazil and in his spare time develops
WAF-FLE which is an open source and free ModSecurity console"
discloses any conflict of interest while establishing technical
creditability at the same time and this is a win win for WAFEC too.

On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira
klaubert@gmail.com wrote:

Christian,

I really like of your propose and care to seek end user contributions to
continue WAFEC v2, an evaluation criteria made mainly by vendors can be

too

partial and lost the practical focus need by evaluators.

Acting mainly as consultant and end user (using open source and

commercial

WAF's), and waf-fle developer in spare time, I came in the past to Ofer
Shezaf, to contribute as a reviewer.

I expect avoid any biased judgement or conflict of interest, as always

do. I

raised my hand in your call with my end user side in mind, but I am a
developer too.

I agree that checks and balances are needed to avoid biased opinion

(when I

joined WAFEC I saw few users, and this is bad), and make end user
participate more is a good start point, but is not guarantee, once I (and
anyone) as end users can defend some vendor/product point of view (just
because he/she see the WAF through the lens of product A or B), not

because

is trying to privilege the product. And all member (mainly those do

writing

and make the revision) of WAFEC must be committed to avoid this.

How to refer to me? "Independent developer", "End user/Independent
developer" or any other appropriated description, more clear, better. As

I

have no affiliation with any vendor or reseller, I speak by myself.

I understand your care, and respect this. And I'd like to contribute

more to

WAFEC, in my best.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Christian, Ok, in my words "Klaubert is an end user located in Brazil and in his spare time develops WAF-FLE which is an open source and free ModSecurity console" Best regards, Klaubert On Fri, Jun 20, 2014 at 3:50 AM, Christian Heinrich < christian.heinrich@cmlh.id.au> wrote: > Klaubert, > > I am in a similar position to yourself, an end user and a developer > but not specific to WAF. > > I think a simple small statement in your own words such as "Klaubert > is an end user located in Brazil and in his spare time develops > WAF-FLE which is an open source and free ModSecurity console" > discloses any conflict of interest while establishing technical > creditability at the same time and this is a win win for WAFEC too. > > On Fri, Jun 20, 2014 at 2:08 PM, Klaubert Herr da Silveira > <klaubert@gmail.com> wrote: > > Christian, > > > > I really like of your propose and care to seek end user contributions to > > continue WAFEC v2, an evaluation criteria made mainly by vendors can be > too > > partial and lost the practical focus need by evaluators. > > > > Acting mainly as consultant and end user (using open source and > commercial > > WAF's), and waf-fle developer in spare time, I came in the past to Ofer > > Shezaf, to contribute as a reviewer. > > > > I expect avoid any biased judgement or conflict of interest, as always > do. I > > raised my hand in your call with my end user side in mind, but I am a > > developer too. > > > > I agree that checks and balances are needed to avoid biased opinion > (when I > > joined WAFEC I saw few users, and this is bad), and make end user > > participate more is a good start point, but is not guarantee, once I (and > > anyone) as end users can defend some vendor/product point of view (just > > because he/she see the WAF through the lens of product A or B), not > because > > is trying to privilege the product. And all member (mainly those do > writing > > and make the revision) of WAFEC must be committed to avoid this. > > > > How to refer to me? "Independent developer", "End user/Independent > > developer" or any other appropriated description, more clear, better. As > I > > have no affiliation with any vendor or reseller, I speak by myself. > > > > I understand your care, and respect this. And I'd like to contribute > more to > > WAFEC, in my best. > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact >
RA
Robert A.
Fri, Jun 20, 2014 4:35 PM

I have no doubt that Klaubert will make a significant contribution to
WAFEC based on his end user experience with ModSecurity but I want to
establish a code of conduct that is applicable, known and fair to
contributors beforehand so that WASC can avoid incidents related to
favouritism which are reoccur time and time again within OWASP i.e.
http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/,
http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html
(I noticed that Dinis Cruz deleted my comment to this Blog Post), etc

WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors'
on their background is the right approach. If you observe an individual
who 'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.

As always, if you see bias in a direction of a project,
call out the specific instance.

The other issue that I am attempting to manage is the unsubstantiated
rumour that WASC Project are nothing more than direct vendor promotion
e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html

This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.

If two parties diff on their opinion then I will forward it to Ofer
for moderation because he is extremely fair and not associated with a
WAF vendor.

That is Ofer's job.

Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

> I have no doubt that Klaubert will make a significant contribution to > WAFEC based on his end user experience with ModSecurity but I want to > establish a code of conduct that is applicable, known and fair to > contributors beforehand so that WASC can avoid incidents related to > favouritism which are reoccur time and time again within OWASP i.e. > http://www.greebo.net/2011/03/18/owasp-podcast-82-authorship-of-owasp-top-10-2007/, > http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html, > http://blog.diniscruz.com/2014/06/in-samanthas-words-why-i-resigned-my.html > (I noticed that Dinis Cruz deleted my comment to this Blog Post), etc WASC has avoided these situations for nearly a decade. We require project material discussions to be held on a public list, so that people can spot any bias material and question it. While I appreciate your dedication to ensuring materials are unbiased, I don't believe grilling 'contributors' on their background is the right approach. If you observe an individual who 'currently works' at a vendor/service provider, and is trying to hide this fact, then call it out. Otherwise please refrain from interigating contributors, this will not be tolerated. If you observe a project leader who is outright in a position of 'conflict of interest' then please feel free to call it out on the list. As always, if you see bias in a direction of a project, call out the specific instance. > The other issue that I am attempting to manage is the unsubstantiated > rumour that WASC Project are nothing more than direct vendor promotion > e.g. http://lists.owasp.org/pipermail/owasp-board/2007-March/005551.html > This email is nearly 5 years old, and honestly we don't care how people speculate about us. We let facts dictate how we are observed. > If two parties diff on their opinion then I will forward it to Ofer > for moderation because he is extremely fair and not associated with a > WAF vendor. That is Ofer's job. Regards, Robert Auger WASC Co Founder/WASC Officer http://www.webappsec.org/ > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact >
CH
Christian Heinrich
Fri, Jun 20, 2014 10:14 PM

Robert,

On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:

WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors' on
their background is the right approach. If you observe an individual who
'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.

As always, if you see bias in a direction of a project, call out the
specific instance.

I don't believe this type of situation would arise but I will escalate
it on to Ofer to resolve.

Plus, it would be up to the various WAF vendors, including FOSS, to
highlight if WAFEC is bias towards a particular vendor(s) feature or
feature "x" is called feature "y" in their product during the Release
Candidate (RC) period i.e. when the draft is published to a wider
audience.

I am not into calling people out on mailing list as I prefer a softer
less direct approach because it usually a simple misunderstanding.

I believe there is some merit in listing experienced end users as
contributors because this demonstrates to the reader that WAFEC was
created by end users for end users.  Vendors should also be listed as
it demonstrates that their awareness of WAFEC.

On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:

This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.

Unfortunately our reputation, although underserved and created by
rumour represents our first impression.

Hence the reason I have raised this now rather than when it becomes to
late to address.

Let's continue this discussion if we need to escalate Ofer because it
will become a WASC policy item rather than contributing to the next
release of WAFEC itself.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Robert, On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert@webappsec.org> wrote: > WASC has avoided these situations for nearly a decade. We require project > material discussions to be held on a public list, so that people can spot > any bias material and question it. While I appreciate your dedication to > ensuring materials are unbiased, I don't believe grilling 'contributors' on > their background is the right approach. If you observe an individual who > 'currently works' at a vendor/service provider, and is trying to hide this > fact, then call it out. Otherwise please refrain from interigating > contributors, this will not be tolerated. If you observe a project leader > who is outright in a position of 'conflict of interest' then please feel > free to call it out on the list. > > As always, if you see bias in a direction of a project, call out the > specific instance. I don't believe this type of situation would arise but I will escalate it on to Ofer to resolve. Plus, it would be up to the various WAF vendors, including FOSS, to highlight if WAFEC is bias towards a particular vendor(s) feature or feature "x" is called feature "y" in their product during the Release Candidate (RC) period i.e. when the draft is published to a wider audience. I am not into calling people out on mailing list as I prefer a softer less direct approach because it usually a simple misunderstanding. I believe there is some merit in listing experienced end users as contributors because this demonstrates to the reader that WAFEC was created by end users for end users. Vendors should also be listed as it demonstrates that their awareness of WAFEC. On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert@webappsec.org> wrote: > This email is nearly 5 years old, and honestly we don't care how people > speculate about us. We let facts dictate how we are observed. Unfortunately our reputation, although underserved and created by rumour represents our first impression. Hence the reason I have raised this now rather than when it becomes to late to address. Let's continue this discussion if we need to escalate Ofer because it will become a WASC policy item rather than contributing to the next release of WAFEC itself. -- Regards, Christian Heinrich http://cmlh.id.au/contact
RA
Robert A.
Fri, Jun 20, 2014 10:21 PM

On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:

WASC has avoided these situations for nearly a decade. We require project
material discussions to be held on a public list, so that people can spot
any bias material and question it. While I appreciate your dedication to
ensuring materials are unbiased, I don't believe grilling 'contributors' on
their background is the right approach. If you observe an individual who
'currently works' at a vendor/service provider, and is trying to hide this
fact, then call it out. Otherwise please refrain from interigating
contributors, this will not be tolerated. If you observe a project leader
who is outright in a position of 'conflict of interest' then please feel
free to call it out on the list.

As always, if you see bias in a direction of a project, call out the
specific instance.

I don't believe this type of situation would arise but I will escalate
it on to Ofer to resolve.

Great. If you ever escalate a 'bias' or 'conflict of interest' issue to a
project leader, and don't believe it's being properly addressed bring it up on the list.
If it's just a matter of personal opinion about a project direction, then
it's up to the project leader to ultimately decide.

Plus, it would be up to the various WAF vendors, including FOSS, to
highlight if WAFEC is bias towards a particular vendor(s) feature or
feature "x" is called feature "y" in their product during the Release
Candidate (RC) period i.e. when the draft is published to a wider
audience.

Precisely. No vendor wants marketing FUD from a competitor in a standard.
So far WASC has been really good at avoiding this situation. People keep
each other in check in this way.

I believe there is some merit in listing experienced end users as
contributors because this demonstrates to the reader that WAFEC was
created by end users for end users.  Vendors should also be listed as
it demonstrates that their awareness of WAFEC.

We should include this in the final deliverable, end users don't
really read the project lists. How this is to be represented can be
discussed but is ultimately the decision of the project lead.

On Sat, Jun 21, 2014 at 2:35 AM, Robert A. robert@webappsec.org wrote:

This email is nearly 5 years old, and honestly we don't care how people
speculate about us. We let facts dictate how we are observed.

Unfortunately our reputation, although underserved and created by
rumour represents our first impression.

We'll agree to disagree. WASC has not had nearly the drama of OWASP, and
we're going to keep it that way. Facts dictate reality as far as I, and a
few other WASC officers are concerned who I have spoken to this about.

Hence the reason I have raised this now rather than when it becomes to
late to address.

I really do appreciate the care you're putting in to making this a
solid project. Please just remember we are a seperate organization than
some of the others you've worked with and should be treated as such.

Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/

> On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert@webappsec.org> wrote: >> WASC has avoided these situations for nearly a decade. We require project >> material discussions to be held on a public list, so that people can spot >> any bias material and question it. While I appreciate your dedication to >> ensuring materials are unbiased, I don't believe grilling 'contributors' on >> their background is the right approach. If you observe an individual who >> 'currently works' at a vendor/service provider, and is trying to hide this >> fact, then call it out. Otherwise please refrain from interigating >> contributors, this will not be tolerated. If you observe a project leader >> who is outright in a position of 'conflict of interest' then please feel >> free to call it out on the list. >> >> As always, if you see bias in a direction of a project, call out the >> specific instance. > > I don't believe this type of situation would arise but I will escalate > it on to Ofer to resolve. Great. If you ever escalate a 'bias' or 'conflict of interest' issue to a project leader, and don't believe it's being properly addressed bring it up on the list. If it's just a matter of personal opinion about a project direction, then it's up to the project leader to ultimately decide. > Plus, it would be up to the various WAF vendors, including FOSS, to > highlight if WAFEC is bias towards a particular vendor(s) feature or > feature "x" is called feature "y" in their product during the Release > Candidate (RC) period i.e. when the draft is published to a wider > audience. Precisely. No vendor wants marketing FUD from a competitor in a standard. So far WASC has been really good at avoiding this situation. People keep each other in check in this way. > I believe there is some merit in listing experienced end users as > contributors because this demonstrates to the reader that WAFEC was > created by end users for end users. Vendors should also be listed as > it demonstrates that their awareness of WAFEC. We should include this in the final deliverable, end users don't really read the project lists. How this is to be represented can be discussed but is ultimately the decision of the project lead. > On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert@webappsec.org> wrote: >> This email is nearly 5 years old, and honestly we don't care how people >> speculate about us. We let facts dictate how we are observed. > > Unfortunately our reputation, although underserved and created by > rumour represents our first impression. We'll agree to disagree. WASC has not had nearly the drama of OWASP, and we're going to keep it that way. Facts dictate reality as far as I, and a few other WASC officers are concerned who I have spoken to this about. > Hence the reason I have raised this now rather than when it becomes to > late to address. I really do appreciate the care you're putting in to making this a solid project. Please just remember we are a seperate organization than some of the others you've worked with and should be treated as such. Regards, Robert Auger WASC Co Founder/WASC Officer http://www.webappsec.org/
CH
Christian Heinrich
Fri, Jun 20, 2014 11:34 PM

Robert,

On Sat, Jun 21, 2014 at 8:21 AM, Robert A. robert@webappsec.org wrote:

We'll agree to disagree. WASC has not had nearly the drama of OWASP, and
we're going to keep it that way. Facts dictate reality as far as I, and a
few other WASC officers are concerned who I have spoken to this about.

On Sat, Jun 21, 2014 at 8:21 AM, Robert A. robert@webappsec.org wrote:

I really do appreciate the care you're putting in to making this a solid
project. Please just remember we are a seperate organization than some of
the others you've worked with and should be treated as such.

Josh Sokol (OWASP Board Member) independently reviewed the root cause
of the my dispute with OWASP and his opinion is that Dinis Cruz's
intent was nothing more than a personal attack according to
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html

http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
... since people then ask :)

The reason I unsubscribe my @owasp.org e-mail address and start
contributing to WASC from my @cmlh.id.au was due to the incorrect
opinion they held of me was the same incorrect opinion OWASP held for
WASC.

This is also the reason why I moved from positively contributing to
the OWASP Top 10 to http://cwe.mitre.org/top25/contributors.html too.

Furthermore, I still maintain a relationship with people who have
positively contributed to OWASP in the past but are deluded with the
preferential treatment of OWASP Board Members vested self interests
and I encourage them to consider contributing to WASC, SafeCODE, etc
where their contribution is valued.

I am extremely grateful for the respect and welcome that WASC has
shown me and intend to treat others with the same courtesy, including
people still associated with OWASP.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Robert, On Sat, Jun 21, 2014 at 8:21 AM, Robert A. <robert@webappsec.org> wrote: > We'll agree to disagree. WASC has not had nearly the drama of OWASP, and > we're going to keep it that way. Facts dictate reality as far as I, and a > few other WASC officers are concerned who I have spoken to this about. On Sat, Jun 21, 2014 at 8:21 AM, Robert A. <robert@webappsec.org> wrote: > I really do appreciate the care you're putting in to making this a solid > project. Please just remember we are a seperate organization than some of > the others you've worked with and should be treated as such. Josh Sokol (OWASP Board Member) independently reviewed the root cause of the my dispute with OWASP and his opinion is that Dinis Cruz's intent was nothing more than a personal attack according to http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514 ... since people then ask :) The reason I unsubscribe my @owasp.org e-mail address and start contributing to WASC from my @cmlh.id.au was due to the incorrect opinion they held of me was the same incorrect opinion OWASP held for WASC. This is also the reason why I moved from positively contributing to the OWASP Top 10 to http://cwe.mitre.org/top25/contributors.html too. Furthermore, I still maintain a relationship with people who have positively contributed to OWASP in the past but are deluded with the preferential treatment of OWASP Board Members vested self interests and I encourage them to consider contributing to WASC, SafeCODE, etc where their contribution is valued. I am extremely grateful for the respect and welcome that WASC has shown me and intend to treat others with the same courtesy, including people still associated with OWASP. -- Regards, Christian Heinrich http://cmlh.id.au/contact
RA
Robert A.
Fri, Jun 20, 2014 11:40 PM

Josh Sokol (OWASP Board Member) independently reviewed the root cause
of the my dispute with OWASP and his opinion is that Dinis Cruz's
intent was nothing more than a personal attack according to
http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html

http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
... since people then ask :)

Honestly I ask you don't bring the drama here, let's just leave it
elsewhere. We don't need to discuss it at WASC.

I am extremely grateful for the respect and welcome that WASC has
shown me and intend to treat others with the same courtesy, including

Sounds good.

Regards,
Robert Auger
WASC Co Founder/WASC Officer
http://www.webappsec.org/

> Josh Sokol (OWASP Board Member) independently reviewed the root cause > of the my dispute with OWASP and his opinion is that Dinis Cruz's > intent was nothing more than a personal attack according to > http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html > > http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514 > ... since people then ask :) Honestly I ask you don't bring the drama here, let's just leave it elsewhere. We don't need to discuss it at WASC. > I am extremely grateful for the respect and welcome that WASC has > shown me and intend to treat others with the same courtesy, including Sounds good. Regards, Robert Auger WASC Co Founder/WASC Officer http://www.webappsec.org/