WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsHi All,
Sorry for the long delay (it is summer after all). I hope to boot the next
phase shortly based on your valuable feedback, but when finally working on
that I had the time to summarize the workshop I held at OWASP AppSec
Research in Athens last month:
Participation was low (6 people). It’s not just the hour (6pm after a hot
and humid day at the Athens University campus) or a marketing failure. It is
also the rift between the OWASP crowd and WAFs. One key take from that is
that WAFEC outreach is an important activity.
I presented a straw man for my thoughts on how we should move further based
on the discussion on this mailing list and I got some good feedback:
· WAFEC needs to define what a WAF is
· Focus on use cases:
o Use cases are what one uses a WAF for, not how one deploys a WAF
o One use case is for logging and troubleshooting (is this security
related?)
· Add a definitions chapter
· There are qualitative criteria, for example:
o Usability
o Learning curve
· With regard to what to include/exclude:
o Focus on is specific to A WAF based on the definition above
o Use common sense to decide:
§ FIPs is very relevant since WAFs uniquely store private keys
§ CE is generic to any appliance so should be skipped.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
Ofer,
Who are the six that attended and are they members of this mailing list?
On Sat, Aug 18, 2012 at 6:16 AM, Ofer Shezaf ofer@shezaf.com wrote:
Participation was low (6 people). It’s not just the hour (6pm after a hot
and humid day at the Athens University campus) or a marketing failure. It is
also the rift between the OWASP crowd and WAFs.
--
Regards,
Christian Heinrich
Dr. Dirk Wetter and Sebastian Deleersnyder which you may all know are
members of this list. As to the other 4, I neglected to write down a list or
ask them if they allow me to publish their participation.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Sunday, August 19, 2012 1:05 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC workshop in Athens
Ofer,
Who are the six that attended and are they members of this mailing list?
On Sat, Aug 18, 2012 at 6:16 AM, Ofer Shezaf ofer@shezaf.com wrote:
Participation was low (6 people). It's not just the hour (6pm after a
hot and humid day at the Athens University campus) or a marketing
failure. It is also the rift between the OWASP crowd and WAFs.
--
Regards,
Christian Heinrich
Ofer,
I don't believe that OWASP would have an issue with publishing the
names of the others attendees considering the "O" in OWASP refers to
"Open" in the context of transparency.
Perhaps Dr. Dirk Wetter and/or Sebastian Deleersnyder may recall their names?
On Sun, Aug 19, 2012 at 8:25 PM, Ofer Shezaf ofer@shezaf.com wrote:
As to the other 4, I neglected to write down a list or
ask them if they allow me to publish their participation.
--
Regards,
Christian Heinrich
Christian,
It has nothing to do with OWASP. It's a basic right of the people
themselves. I am not saying they would object, I just don't see a huge value
in listing them given that I did not ask their permission in the 1st place.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Sunday, August 19, 2012 1:34 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC workshop in Athens
Ofer,
I don't believe that OWASP would have an issue with publishing the names of
the others attendees considering the "O" in OWASP refers to "Open" in the
context of transparency.
Perhaps Dr. Dirk Wetter and/or Sebastian Deleersnyder may recall their
names?
On Sun, Aug 19, 2012 at 8:25 PM, Ofer Shezaf ofer@shezaf.com wrote:
As to the other 4, I neglected to write down a list or ask them if
they allow me to publish their participation.
--
Regards,
Christian Heinrich
Ofer,
In light of their acknowledged poor WAF "source code" implementation
(which OWASP tried to improve) and my positive proposal to consider it
as part of WAFEC in light of its shortcomings i.e.
https://lists.owasp.org/pipermail/esapi-dev/2011-March/001652.html
then I can't provide comment on what improvements could be made to our
(i.e. WAFEC/WASC) standing with OWASP without further objective
information since I was not present at this OWASP session in Athens.
I will encourage both Dr. Dirk Wetter and/or Sebastian Deleersnyder to
provide their viewpoint?
Apologies in the delay in responding but I am having trouble accessing
"personal" internet during the weekdays due to my work location at the
moment. So expect my next reply to be sometime next weekend i.e. from
1 September
On Sun, Aug 19, 2012 at 10:06 PM, Ofer Shezaf ofer@shezaf.com wrote:
Christian,
It has nothing to do with OWASP. It's a basic right of the people
themselves. I am not saying they would object, I just don't see a huge value
in listing them given that I did not ask their permission in the 1st place.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Sunday, August 19, 2012 1:34 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC workshop in Athens
Ofer,
I don't believe that OWASP would have an issue with publishing the names of
the others attendees considering the "O" in OWASP refers to "Open" in the
context of transparency.
Perhaps Dr. Dirk Wetter and/or Sebastian Deleersnyder may recall their
names?
On Sun, Aug 19, 2012 at 8:25 PM, Ofer Shezaf ofer@shezaf.com wrote:
As to the other 4, I neglected to write down a list or ask them if
they allow me to publish their participation.
--
Regards,
Christian Heinrich
Ofer,
As OWASP are refusing to address this (which is clearly expected but
disappointing) I would like to add
http://www.cigital.com/justice-league-blog/2011/09/24/suggestions-for-esapi-2-1-and-beyond/
point of view in light of the claim that ESAPI is considered a
http://sourceforge.net/owasp/projects/Flagship/ which included
http://code.google.com/p/owasp-java-waf/ until Jim, Juan and I
separated it from ESAPI.
WASC should request that WAFEC be listed as a
http://sourceforge.net/owasp/projects/Flagship/ also.
https://lists.owasp.org/pipermail/esapi-dev/2011-August/001920.html
would also provide further supporting evidence of Aspect Security
abuse of their position within the OWASP GPC i.e. both Jason Li, Juan
and Arshan Dabirsiaghi are employees of Aspect Security and neither
has Juan made any progress with OWASP-Java-WAF since this dreadful
takeover from Jason Li i.e. since 1 August 2011 as per
http://code.google.com/p/owasp-java-waf/source/detail?r=7, yet ESAPI
is considered a Flagship Project and this isn't the first time Aspect
Security have been questioned on this appalling governance i.e.
http://lists.owasp.org/pipermail/owasp-board/2012-March/010800.html
(Jim Manico is a former Aspect Security employee).
I would also encourage you to listen to
https://www.owasp.org/download/jmanico/owasp_podcast_88.mp3 and aside
from the numerous project management mistakes that the GPC had made I
would encourage you to pay attention to where Jason Li clearly states
that the GPC does not interfere with the community of developers
around OWASP Projects yet Aspect Security consistently do this time
and time again as demonstrated above.
The OWASP GPC will do the deliver the same negative experience to WAFEC.
On Sun, Aug 26, 2012 at 6:41 PM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ofer,
In light of their acknowledged poor WAF "source code" implementation
(which OWASP tried to improve) and my positive proposal to consider it
as part of WAFEC in light of its shortcomings i.e.
https://lists.owasp.org/pipermail/esapi-dev/2011-March/001652.html
then I can't provide comment on what improvements could be made to our
(i.e. WAFEC/WASC) standing with OWASP without further objective
information since I was not present at this OWASP session in Athens.
I will encourage both Dr. Dirk Wetter and/or Sebastian Deleersnyder to
provide their viewpoint?
Apologies in the delay in responding but I am having trouble accessing
"personal" internet during the weekdays due to my work location at the
moment. So expect my next reply to be sometime next weekend i.e. from
1 September
On Sun, Aug 19, 2012 at 10:06 PM, Ofer Shezaf ofer@shezaf.com wrote:
Christian,
It has nothing to do with OWASP. It's a basic right of the people
themselves. I am not saying they would object, I just don't see a huge value
in listing them given that I did not ask their permission in the 1st place.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Sunday, August 19, 2012 1:34 PM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC workshop in Athens
Ofer,
I don't believe that OWASP would have an issue with publishing the names of
the others attendees considering the "O" in OWASP refers to "Open" in the
context of transparency.
Perhaps Dr. Dirk Wetter and/or Sebastian Deleersnyder may recall their
names?
On Sun, Aug 19, 2012 at 8:25 PM, Ofer Shezaf ofer@shezaf.com wrote:
As to the other 4, I neglected to write down a list or ask them if
they allow me to publish their participation.
--
Regards,
Christian Heinrich