[Owasp-leaders] WAFs for OWASP crowd to perform independent tests

dinis cruz dinis.cruz at owasp.org
Fri Sep 25 12:30:06 EDT 2009


(also posted here:
http://diniscruz.blogspot.com/2009/09/wafs-for-owasp-crowd-to-perform.html)
Just had this request from one of the best WAF authors & researchers in the
world (sorry can't say his name publicly) who asked me this:
*"...I **am researching WAF evasion and I need access to a commercial WAF. I
am finding a lot of interesting things, but without knowing if they are real
problems in production that does not mean much.

Do you know someone who could be willing to give me access to
a non-production box for testing purposes?..."*

>From the above, I have two questions:I have two questions:

   1. Anybody form this list can help him? ping me directly and I will put
   two in touch
   2. Is the WAF industry (both proprietary and open source) mature enough
   that they can 'lent' an Evaluation WAF (the actual appliance) to OWASP so
   that OWASP leaders & members can independently evaluate it?
      - If they are, I'm happy to help setting up some rules of engagement,
      for example: "The WAF will be hosted by an independent (i.e. non
WAF vendor)
      OWASP leader or member", "there are no limitations on the types
of Apps that
      can be 'protected' by the WAF", "if any major issues are discovered,
      'responsible disclosure' will be used"


I think if we do this right, it could be a win-win for everybody

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090925/32921e3c/attachment.html 


More information about the OWASP-Leaders mailing list