WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsHi All,
I have been contemplating the idea of making WAFEC a joined WASC/OWASP
project and talked with several of you as well as with OWASP leaders on the
idea. The reasons I think are clear:
. For good or bad, OWASP outreach is much bigger.
. WASC is perceived as a "vendors' organization" and the list of
participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers.
In my talks with OWASP leaders I put two requirements to reflect the "joined
project" concept that were accepted:
. The name, when affiliation is used, would be "The WASC/OWASP Web
Application Firewall Evaluation Criteria".
. Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers.
I would like to get your input on this suggestion and then vote on it. I do
want to say I feel pretty strongly that this is essential for WAFEC
acceptance and success.
I do also remind you that I still wait for your input on the outline draft I
distributed. If I get no remarks and volunteers I will: (a) take it as a
yes, and (b) start working on sections I choose to own.
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
Ofer,
I would prefer that we defer until the events of the recent
https://www.owasp.org/index.php/Membership/2012_Election and their
elected officials have taken office (from January 2013) for a period
of time (say February 2013?) before voting on this.
I don't believe that this period is too long considering I have
participated in the development of WAFEC since February 2011.
On Wed, Oct 31, 2012 at 8:33 PM, Ofer Shezaf ofer@shezaf.com wrote:
I would like to get your input on this suggestion and then vote on it. I do
want to say I feel pretty strongly that this is essential for WAFEC
acceptance and success.
--
Regards,
Christian Heinrich
Christian,
I don't think the OWASP elections are of essence in this case. Neither
organizations nor projects should stop due to elections, and in any case the
elections have taken place and the not much has changed on the board.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Thursday, November 01, 2012 8:28 AM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Making WAFEC a joined WASC/OWASP project
Ofer,
I would prefer that we defer until the events of the recent
https://www.owasp.org/index.php/Membership/2012_Election and their elected
officials have taken office (from January 2013) for a period of time (say
February 2013?) before voting on this.
I don't believe that this period is too long considering I have participated
in the development of WAFEC since February 2011.
On Wed, Oct 31, 2012 at 8:33 PM, Ofer Shezaf ofer@shezaf.com wrote:
I would like to get your input on this suggestion and then vote on it.
I do want to say I feel pretty strongly that this is essential for
WAFEC acceptance and success.
--
Regards,
Christian Heinrich
Ofer,
On Thu, Nov 1, 2012 at 6:14 PM, Ofer Shezaf ofer@shezaf.com wrote:
I don't think the OWASP elections are of essence in this case. Neither
organizations nor projects should stop due to elections, and in any case
the
elections have taken place and the not much has changed on the board.
The stability of the OWASP Board is of the upmost importance and their recent
election is under dispute.
However, I don't believe that a formal relationship with OWASP would
provide WAFEC with any additional benefit and would greatly harm WAFEC:
Trustwave dominate the OWASP Board and have exerted the influence to
manipulate various outcomes to their sole benefit e.g.
https://lists.owasp.org/pipermail/committees-chairs/2011-September/000574.html
The OWASP GPC is abused by Aspect Security to maintain exclusive
control of various projects, such as the
https://lists.owasp.org/pipermail/global-projects-committee/2011-August/002311.htmli.e.
Jason Li, Arshan Dabirsiaghi and Juan Carlos Calderon are all
employees of Aspect Security and neither has development continued on
owasp-java-waf since this e-mail by Juan (who had nothing to do with these
politics at the time of this event as he was not an Aspect Security
employee at the time).
OWASP own admission is that WASC has further reach via our
websecurity@mailing list i.e.
http://lists.owasp.org/pipermail/owasp-board/2007-March/005552.html and
this is further supported by their continued spam of WASC mailing lists
i.e. https://www.google.com.au/search?q=site:lists.webappsec.org+owasp
Ultimately, OWASP intents to dissolve WASC and take ownership of our high
quality projects from the WASC Board i.e. "Talking about WASC, we should
merge :) (as in WASC joins OWASP , and OWASP keeps the brand)" as quoted
from http://lists.owasp.org/pipermail/owasp-board/2007-July/005773.html.
Furthermore, I will no longer be able to participate in WAFEC as I have
been terminated (without a corresponding bylaw) from OWASP even thought it
is widely disputed that I won both the unfair trial and flawed appeal when
the OWASP Board deliberately chose not to consider natural justice,
procedural fairness or impartiality and the OWASP Board has deliberately
withheld the release of information i.e.
http://lists.owasp.org/pipermail/owasp-leaders/2012-February/006827.html
Going forward, the relationship I would support would be promoting WAFEC on
https://lists.owasp.org/listinfo/owasp-leaders as
https://www.owasp.org/index.php/User:Oshezaf and I am also willing to
consider an offer from OWASP to promote the final release of WAFECv2 on
their owasp-all@ mailing list?
--
Regards,
Christian Heinrich
Hi Ofer,
Thanks for the laugh. If OWASP can help promote WAFEC, then of course you're welcome.
--Jeff
On Nov 1, 2012, at 4:33 AM, "Christian Heinrich" christian.heinrich@cmlh.id.au wrote:
Ofer,
On Thu, Nov 1, 2012 at 6:14 PM, Ofer Shezaf ofer@shezaf.com wrote:
I don't think the OWASP elections are of essence in this case. Neither
organizations nor projects should stop due to elections, and in any case the
elections have taken place and the not much has changed on the board.
The stability of the OWASP Board is of the upmost importance and their recent election is under dispute.
However, I don't believe that a formal relationship with OWASP would provide WAFEC with any additional benefit and would greatly harm WAFEC:
Trustwave dominate the OWASP Board and have exerted the influence to manipulate various outcomes to their sole benefit e.g. https://lists.owasp.org/pipermail/committees-chairs/2011-September/000574.html
The OWASP GPC is abused by Aspect Security to maintain exclusive control of various projects, such as the https://lists.owasp.org/pipermail/global-projects-committee/2011-August/002311.html i.e. Jason Li, Arshan Dabirsiaghi and Juan Carlos Calderon are all employees of Aspect Security and neither has development continued on owasp-java-waf since this e-mail by Juan (who had nothing to do with these politics at the time of this event as he was not an Aspect Security employee at the time).
OWASP own admission is that WASC has further reach via our websecurity@ mailing list i.e. http://lists.owasp.org/pipermail/owasp-board/2007-March/005552.html and this is further supported by their continued spam of WASC mailing lists i.e. https://www.google.com.au/search?q=site:lists.webappsec.org+owasp
Ultimately, OWASP intents to dissolve WASC and take ownership of our high quality projects from the WASC Board i.e. "Talking about WASC, we should merge :) (as in WASC joins OWASP , and OWASP keeps the brand)" as quoted from http://lists.owasp.org/pipermail/owasp-board/2007-July/005773.html.
Furthermore, I will no longer be able to participate in WAFEC as I have been terminated (without a corresponding bylaw) from OWASP even thought it is widely disputed that I won both the unfair trial and flawed appeal when the OWASP Board deliberately chose not to consider natural justice, procedural fairness or impartiality and the OWASP Board has deliberately withheld the release of information i.e. http://lists.owasp.org/pipermail/owasp-leaders/2012-February/006827.html
Going forward, the relationship I would support would be promoting WAFEC on https://lists.owasp.org/listinfo/owasp-leaders as https://www.owasp.org/index.php/User:Oshezaf and I am also willing to consider an offer from OWASP to promote the final release of WAFECv2 on their owasp-all@ mailing list?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Thanks Jeff.
I would like to make two comments on Christian’s e-mail:
· While I am not in agreement, I value his opinion and welcome him sharing it on the list.
· I will make sure that such a move does not prevent Christian from participating in WAFEC due his dispute with OWASP. Whether he chooses to participate is his own choice.
~ Ofer
From: Jeff Williams [mailto:jeff.williams@aspectsecurity.com]
Sent: Thursday, November 01, 2012 12:20 PM
To: Christian Heinrich
Cc: Ofer Shezaf; wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Making WAFEC a joined WASC/OWASP project
Hi Ofer,
Thanks for the laugh. If OWASP can help promote WAFEC, then of course you're welcome.
--Jeff
On Nov 1, 2012, at 4:33 AM, "Christian Heinrich" christian.heinrich@cmlh.id.au wrote:
Ofer,
On Thu, Nov 1, 2012 at 6:14 PM, Ofer Shezaf ofer@shezaf.com wrote:
I don't think the OWASP elections are of essence in this case. Neither
organizations nor projects should stop due to elections, and in any case the
elections have taken place and the not much has changed on the board.
The stability of the OWASP Board is of the upmost importance and their recent election is under dispute.
However, I don't believe that a formal relationship with OWASP would provide WAFEC with any additional benefit and would greatly harm WAFEC:
Trustwave dominate the OWASP Board and have exerted the influence to manipulate various outcomes to their sole benefit e.g. https://lists.owasp.org/pipermail/committees-chairs/2011-September/000574.html
The OWASP GPC is abused by Aspect Security to maintain exclusive control of various projects, such as the https://lists.owasp.org/pipermail/global-projects-committee/2011-August/002311.html i.e. Jason Li, Arshan Dabirsiaghi and Juan Carlos Calderon are all employees of Aspect Security and neither has development continued on owasp-java-waf since this e-mail by Juan (who had nothing to do with these politics at the time of this event as he was not an Aspect Security employee at the time).
OWASP own admission is that WASC has further reach via our websecurity@ mailing list i.e. http://lists.owasp.org/pipermail/owasp-board/2007-March/005552.html and this is further supported by their continued spam of WASC mailing lists i.e. https://www.google.com.au/search?q=site:lists.webappsec.org+owasp
Ultimately, OWASP intents to dissolve WASC and take ownership of our high quality projects from the WASC Board i.e. "Talking about WASC, we should merge :) (as in WASC joins OWASP , and OWASP keeps the brand)" as quoted from http://lists.owasp.org/pipermail/owasp-board/2007-July/005773.html.
Furthermore, I will no longer be able to participate in WAFEC as I have been terminated (without a corresponding bylaw) from OWASP even thought it is widely disputed that I won both the unfair trial and flawed appeal when the OWASP Board deliberately chose not to consider natural justice, procedural fairness or impartiality and the OWASP Board has deliberately withheld the release of information i.e. http://lists.owasp.org/pipermail/owasp-leaders/2012-February/006827.html
Going forward, the relationship I would support would be promoting WAFEC on https://lists.owasp.org/listinfo/owasp-leaders as https://www.owasp.org/index.php/User:Oshezaf and I am also willing to consider an offer from OWASP to promote the final release of WAFECv2 on their owasp-all@ mailing list?
--
Regards,
Christian Heinrich
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Am 10/31/2012 10:33 AM, schrieb Ofer Shezaf:
Hi All,
I have been contemplating the idea of making WAFEC a joined WASC/OWASP
project and talked with several of you as well as with OWASP leaders on the
idea. The reasons I think are clear:
· For good or bad, OWASP outreach is much bigger.
· WASC is perceived as a “vendors’ organization” and the list of
participants in WAFEC certainly proves that. Affiliation with OWASP will
help popularize WAFEC also with customers.
In my talks with OWASP leaders I put two requirements to reflect the
“joined project” concept that were accepted:
· The name, when affiliation is used, would be “The WASC/OWASP Web
Application Firewall Evaluation Criteria”.
· Governance would be mutual, i.e. any decision about the project
which is not within the project team itself has to be agreed upon by the
OWASP GPC (i.e. Project Committee) and by the WASC officers.
I would like to get your input on this suggestion
As far as for both sides this is acceptable: strong +1 from me.
and then vote on it. I do want to say I feel pretty strongly that this is essential for WAFEC
acceptance and success.
I do also remind you that I still wait for your input on the outline draft
I distributed. If I get no remarks and volunteers I will: (a) take it as a
yes, and (b) start working on sections I choose to own.
Good plan.
Dirk
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com mailto:ofer@shezaf.com, www.shezaf.com]
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org