[GPC] Presenting a new project to the OWASP : Naxsi, a WAF for NGINX

Paulo Coimbra pcoimbra at owasp.org
Sat Sep 10 14:02:47 EDT 2011


 Thibault et al,

Hope you are well. As you already know, I haven't set your project up last
Monday as promised but have done so the following day. Nevertheless, I
apologize for not contacting you before. As a matter of fact, as you have
pointed out the wish of having your project pushed up the quality ladder, I
have hesitated in keeping directing you towards our current assessment
methodology. 

However, as you may know, the GPC has been doing its best to upgrade OWASP
Project's processes and we are counting on having significant changes to
publicly present and discuss at the forthcoming OWASP AppSec USA and, being
so, I suggest we wait only a fortnight and thereafter resume this issue
already having into account the new rules.

If you agree with my proposal above, I will get back to you after September,
25. Otherwise, please let me know.

Should you have any questions regarding the wiki's editing, mailing lists
etc please get back to me.

Thanks,
- Paulo

Paulo Coimbra
OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>

From:  Paulo Coimbra <pcoimbra at owasp.org>
Date:  Fri, 02 Sep 2011 17:07:51 +0100
To:  Thibault Koechlin <thibault.koechlin at nbs-system.com>
Cc:  Sebastien Gioria <sebastien.gioria at owasp.org>, phu
<phu at nbs-system.com>, GPC <global-projects-committee at lists.owasp.org>
Subject:  Re: Presenting a new project to the OWASP : Naxsi, a WAF for NGINX

Hi  Thibault,

As for your question, in accordance with the assessment criteria 2.0 (to be
soon replaced but still in use) every new OWASP Project begins with an Alpha
status. 

https://www.owasp.org/index.php/Assessment_Criteria_v2.0

However as soon as we set up the project and its release (and it will be
done Monday unless the GPC says otherwise), if you wish, we can trigger a
review process and push it up the assessment ladder.

Thanks,
- Paulo

Paulo Coimbra
OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>

From:  Thibault Koechlin <thibault.koechlin at nbs-system.com>
Organization:  NBS System
Date:  Fri, 02 Sep 2011 10:43:05 +0200
To:  Paulo Coimbra <pcoimbra at owasp.org>
Cc:  Sebastien Gioria <sebastien.gioria at owasp.org>, phu
<phu at nbs-system.com>, GPC <global-projects-committee at lists.owasp.org>
Subject:  Re: Presenting a new project to the OWASP : Naxsi, a WAF for NGINX

Hello Paulo,

Thanks for your reply, I'll fill the WIKI profile asap.
Regarding project status, what is the process to decide in which
category (alpha/beta/stable) the project will fit in ?

Because, even I said the release is alpha status, lots of tests have
already been performed, and it "should be" production ready (unit
testing, various benches, static source code analysis already performed
etc.).

We have as well setup a server where naxsi is acting as a reverse proxy
for damn vulnerable websites to allow people to try to bypass it
(referenced in the WIKI), so a bit of visibility would be good to
attract people to test the software.

Regards,



On Thu, 2011-09-01 at 18:30 +0100, Paulo Coimbra wrote:
>  Hello Thibault,
>  
>  
>  First of all, thank you for volunteering to lead an OWASP Project.  It
>  is with volunteers like yourself that OWASP continues to succeed in
>  making application security visible.
>  
>  
>  Regarding your proposed leadership of this project, I am carbon
>  copying the OWASP Global Projects Committee (GPC) so that it can have
>  the opportunity to look at the roadmap you have sent and provide
>  feedback. If none opposition raises from the GPC, as I expect, I will
>  set your project up.
>  
>  
>  Meanwhile, we recommend that every project leader or contributor
>  creates a wiki account, fills in there with Resume/Curriculum Vitae,
>  Wiki Contributions and Email Address. Those elements will help us with
>  building a proper idea of their technical profile and will facilitate
>  the contact within OWASP contributors. Please see below the tutorial¹s
>  first paragraph and an example.
>  
>  
>  https://www.owasp.org/index.php/Special:RequestAccount
>  
>  
>  http://www.owasp.org/index.php/Tutorial
>   
>  http://www.owasp.org/index.php/User:Mtesauro
>  
>  
>  I will get back to you soon with more info and details.
>   
>  Many thanks, best regards,
>  - Paulo
>  
>  
>  Paulo Coimbra
>  OWASP Project Manager
>  
>  
>  From: Thibault Koechlin <thibault.koechlin at nbs-system.com>
>  Organization: NBS System
>  Date: Thu, 01 Sep 2011 19:17:54 +0200
>  To: Sebastien Gioria <sebastien.gioria at owasp.org>, Paulo Coimbra
>  <paulo.coimbra at owasp.org>
>  Cc: phu <phu at nbs-system.com>
>  Subject: Presenting a new project to the OWASP : Naxsi, a WAF for
>  NGINX
>  
>  
>  
>  Hello,
>  
>  
>  
>  
>  I would like to introduce a new project to the OWASP : NAXSI.
>  Naxsi is a Web Application Firewall module for Nginx. It's different
>  from most WAFs, because it relies on a positive model, rather than the
>  usual negative model. The project is still very young (alpha v0.2),
>  even
>  if I've been working on it (and testing it) since a few months
>  already.
>  You can find more details about it here : naxsi.googlecode.com.
>  
>  
>  
>  
>  You will find attached the small requested presentation of the
>  project,
>  as well as replies to the submission process.
>  
>  
>  
>  
>  A - Project : NAXSI
>  1 - Project Name : NAXSI (Nginx Anti Xss Sql Injection)
>  2 - Project Purpose/Overview : Naxsi is a WAF module Nginx, the
>  infamous
>  web server / reverse proxy / ... Its goal is to protect web
>  application
>  from SQL Injections, Cross Site Scripting and all "web"
>  vulnerabilities.
>  3 - Project RoadMap : The project is already released (on googlecode),
>  and is currently in alpha version, even if we already did a lot of
>  testing. The next "big" steps will be to develop a web reporting
>  interface, as the web configuration/learning interface is already
>  existing.
>  4 - Project links : naxsi.googlecode.com
>  5 - Project License : GPL v2
>  6 - Project Leader Name : Thibault "bui" Koechlin
>  7 - Project Leader e-mail account : bui at nbs-system.com
>  8 - Project Leader wiki account :
>  9 - Project Contributors : Sebastien Blot, Antonin Lefaucheux, Didier
>  Conchaudron
>  10 - Project links : naxsi.googlecode.com
>  
>  
>  B - First Release
>  1 - Release Name : Naxsi-alpha-v0.2 (End of august, but developed
>  since
>  a few months)
>  2 - Release Description : This is the first public version naxsi, a
>  Web
>  Application Firewall Module for NGINX
>  3 - Release Downloadable file links :
>  http://naxsi.googlecode.com/files/naxsi-alpha-v0.2.tgz
>  4 - Release Leader : Thibault Koechlin
>  5 - Release Contributors : Sebastien Blot, Antonin Lefaucheux, Didier
>  Conchaudron
>  6 - Release Reviewer : Thibault Koechlin, Sebastien Blot
>  7 - Release Sponsors : NBS System
>  8 - Release Note : First public version of NAXSI !
>  9 - Release Main Links : naxsi.googlecode.com
>  
>  
>  Thanks for your time,
>  
>  
>  Regards,
>  -- 
>  Thibault Koechlin, IT security senior consultant
>  ---
>  NBS System - L'Expertise sécurité - 140 Bd Haussmann - 75008 Paris,
>  France
>  Tel: +33 1 58 56 25 90 /  Fax: +33 1 58 56 60 81
>  
>  
>  
>  

-- 
Thibault Koechlin, IT security senior consultant
---
NBS System - L'Expertise sécurité - 140 Bd Haussmann - 75008 Paris, France
Tel: +33 1 58 56 25 90 /  Fax: +33 1 58 56 60 81



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110910/963b3144/attachment.html 


More information about the Global-projects-committee mailing list