[WASC-WAFEC] WAFEC v2 Step 1

Matthieu Estrade mestrade at apache.org
Thu Feb 10 09:45:56 EST 2011


Le 9 févr. 2011 à 23:58, robert at webappsec.org a écrit :

>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t
>> for a little while longer. It's much better to discuss the common WAF use
>> cases, and from that deduce how to formulate a criteria that would help
>> users determine if the products they are evaluating are suitable for the us=
>> e
>> cases they wish to pursue.
> 
> 
> I agree. After building out these use cases then see what is and isn't in v1 and create
> the new sections/update the old ones.
> 

+1 

imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications.
Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs.

Matthieu


> Regards,
> - Robert Auger
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
> 
>> 
>> For the record, my impression of WAFECv1 is that it's great for the guys
>> like me, who are interested in how WAFs operate, but not as useful for
>> end-users, who just want to take care of a problem they have.
>> 
>> In addition, I have some questions:
>> 
>> - What is content switching
>> - What DoS aspects of HTML5?
>> 
>> On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
>> Thorsten.Wujek at stein-edv.de> wrote:
>> 
>>> Hi,
>>> 
>>> 
>>> 
>>> Thanks to everybody for showing so much interest in evolving WAFEC v2.
>>> 
>>> 
>>> 
>>> Today I would like to present the first, initial step of our project. Aft=
>> er
>>> that I or my brother will be able to provide a detailed schedule and goal
>>> definition as well as how the communication will be organized.
>>> 
>>> 
>>> 
>>> 1.)    I would like to name those, who have confirmed their participation
>>> explicitly on the WASC / WAFEC Website. If you do not want that, please l=
>> et
>>> me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
>>> 
>>> 2.)    As stated in the first mail, there should be a review of WAFEC v1
>>> and it would be great, if you could start with your or your customers
>>> experiences regarding the use of WAFEC v1.
>>> Let me be the one starting the discussion in short words:
>>> 
>>> i.)           There are a lot off criteria regarding content switching,
>>> which is irritating if you speak about WAF
>>> ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC
>>> criteria regarding that issue
>>> iii.)         WAFEC should give customers or consultants the ability to
>>> judge positive or negative techniques as well as training, at the moment =
>> it
>>> is just showing capabilities
>>> 
>>> iv.)         The actual version is not helpful if you want to evaluate
>>> management or administrative capabilities
>>> 
>>> 
>>> 
>>> These are my 5 cent
>>> 
>>> 3.)    Last but not least there should be an overall confirmation if the
>>> suggested topics should be discussed in this project completely and how
>>> these points should be prioritized.
>>> 
>>> 
>>> 
>>> Awaiting your comments.
>>> 
>>> 
>>> 
>>> Thorsten
>>> 
>>> 
>>> 
>>> 
>>> Mit freundlichen Gr=C3=BC=C3=9Fen
>>> STEIN-IT GmbH
>>> Thorsten Wujek
>>> technischer Gesch=C3=A4ftsf=C3=BChrer
>>> technical CEO
>>> 
>>> *MCT,MCA,MASE,CITA-P***
>>> 
>>> 
>>> 
>>> 
>>> Neckarstra=C3=9Fe 4. 45768 Marl
>>> Fon +49 23 65 . 92 44 - 31
>>> Fax +49 23 65 . 92 44 - 44
>>> 
>>> www.stein-edv.de
>>> www.sony-repair.de
>>> Thorsten.Wujek at stein-edv.de <thorsten.wujek at stein-edv.de>
>>> 
>>> 
>>> 
>>> 
>>> Ust.-Idnr.:  DE 814703466
>>> Steuer-Nr.: 359 5786 0059
>>> 
>>> Amtsgericht Gelsenkirchen, HRB 8639
>>> Sitz und Gerichtsstand Marl
>>> 
>>> Gesch=C3=A4ftsf=C3=BChrer:
>>> Joachim Matzek, Thorsten Wujek
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> wasc-wafec mailing list
>>> wasc-wafec at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
>> g
>>> 
>>> 
>> 
>> 
>> --=20
>> Ivan Risti=C4=87
>> 
>> --0016e64651485dda0d049be05ecf
>> Content-Type: text/html; charset=UTF-8
>> Content-Transfer-Encoding: quoted-printable
>> 
>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t for a little while longer. It's much better to discuss the common WAF=
>> use cases, and from that deduce how to formulate a criteria that would hel=
>> p users determine if the products they are evaluating are suitable for the =
>> use cases they wish to pursue.<br>
>> <br>For the record, my impression of WAFECv1 is that it's great for the=
>> guys like me, who are interested in how WAFs operate, but not as useful fo=
>> r end-users, who just want to take care of a problem they have.<br><br>
>> In addition, I have some questions:<br><br>- What is content switching<br>-=
>> What DoS aspects of HTML5?<br><br><div class=3D"gmail_quote">On Wed, Feb 9=
>> , 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <span dir=3D"ltr"><<a =
>> href=3D"mailto:Thorsten.Wujek at stein-edv.de">Thorsten.Wujek at stein-edv.de</a>=
>> ></span> wrote:<br>
>> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
>> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div link=3D"blue=
>> " vlink=3D"purple" lang=3D"DE"><div><p class=3D"MsoNormal">Hi,</p><p class=
>> =3D"MsoNormal">
>> =C2=A0</p><p class=3D"MsoNormal"><span style=3D"font-size: 10.5pt;" lang=3D=
>> "EN-US">Thanks to everybody for showing so much interest in evolving WAFEC =
>> v2.</span><span lang=3D"EN-US"></span></p><p class=3D"MsoNormal"><span lang=
>> =3D"EN-US">=C2=A0</span></p>
>> <p class=3D"MsoNormal"><span lang=3D"EN-US">Today I would like to present t=
>> he first, initial step of our project. After that I or my brother will be a=
>> ble to provide a detailed schedule and goal definition as well as how the c=
>> ommunication will be organized.</span></p>
>> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=
>> =3D"EN-US"><span>1.)<span style=3D"font: 7pt "Times New Roman";">=
>> =C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">I would like t=
>> o name those, who have confirmed their participation explicitly on the WASC=
>> / WAFEC Website. If you do not want that, please let me know, otherwise I =
>> take silence as an =E2=80=9COK=E2=80=9D.</span></p>
>> <p><span lang=3D"EN-US"><span>2.)<span style=3D"font: 7pt "Times New R=
>> oman";">=C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">A=
>> s stated in the first mail, there should be a review of WAFEC v1 and it wou=
>> ld be great, if you could start with your or your customers experiences reg=
>> arding the use of WAFEC v1.<br>
>> Let me be the one starting the discussion in short words:<br><br>i.)=C2=A0=
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There are a lot off =
>> criteria regarding content switching, which is irritating if you speak abou=
>> t WAF<br>ii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 With th=
>> e new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that=
>> issue<br>
>> iii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WAFEC should give cus=
>> tomers or consultants the ability to judge positive or negative techniques =
>> as well as training, at the moment it is just showing capabilities</span></=
>> p><p><span lang=3D"EN-US">iv.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
>> =A0 The actual version is not helpful if you want to evaluate management or=
>> administrative capabilities</span></p>
>> <p><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=3D"EN-US">These are =
>> my 5 cent <br><br></span></p><p><span lang=3D"EN-US"><span>3.)<span style=
>> =3D"font: 7pt "Times New Roman";">=C2=A0=C2=A0=C2=A0 </span></spa=
>> n></span><span lang=3D"EN-US">Last but not least there should be an overall=
>> confirmation if the suggested topics should be discussed in this project c=
>> ompletely and how these points should be prioritized.</span></p>
>> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"Ms=
>> oNormal"><span lang=3D"EN-US">Awaiting your comments.</span></p><p class=3D=
>> "MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"MsoNormal"><s=
>> pan lang=3D"EN-US">Thorsten</span></p>
>> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><table style=
>> =3D"width: 412.5pt; border-collapse: collapse;" width=3D"550" border=3D"0" =
>> cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td style=3D"width: 187.5pt;=
>> padding: 0cm;" valign=3D"top" width=3D"250">
>> <p class=3D"MsoNormal"><span><br></span><span style=3D"font-size: 8pt;">Mit=
>> freundlichen Gr=C3=BC=C3=9Fen<br>STEIN-IT GmbH<br><span style=3D"color: rg=
>> b(204, 0, 0);">Thorsten Wujek</span><br>technischer Gesch=C3=A4ftsf=C3=BChr=
>> er<br>technical CEO</span><span style=3D"font-size: 8pt;"></span></p>
>> </td><td style=3D"width: 240pt; padding: 0cm;" valign=3D"top" width=3D"320"=
>>> </td></tr><tr><td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><b><span =
>> lang=3D"EN-US">MCT,MCA,MASE,CITA-P</span></b><b><span lang=3D"EN-US"></span=
>>> </b></p></td>
>> <td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=
>> =A0</span></p></td></tr><tr><td style=3D"padding: 0cm;" valign=3D"top"><p c=
>> lass=3D"MsoNormal"><span lang=3D"EN-US"><br></span><span style=3D"font-size=
>> : 8pt;">Neckarstra=C3=9Fe=C2=A04.=C2=A045768=C2=A0Marl<br>
>> Fon=C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A031<br>Fax=
>> =C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A044</span><span=
>>> </span></p></td><td style=3D"padding: 0cm;" valign=3D"bottom"><p class=3D"=
>> MsoNormal"><span><a href=3D"http://www.stein-edv.de/" target=3D"_blank"><sp=
>> an style=3D"font-size: 8pt; color: black; text-decoration: none;">www.stein=
>> -edv.de</span></a><br>
>> <a href=3D"http://www.sony-repair.de/" target=3D"_blank"><span style=3D"fon=
>> t-size: 8pt; color: black; text-decoration: none;">www.sony-repair.de</span=
>>> </a><br><a href=3D"mailto:thorsten.wujek at stein-edv.de" target=3D"_blank"><=
>> span style=3D"font-size: 8pt; color: rgb(204, 0, 0); text-decoration: none;=
>> ">Thorsten.Wujek at stein-edv.de</span></a></span><span></span></p>
>> </td></tr><tr><td colspan=3D"2" style=3D"padding: 0cm;"><p class=3D"MsoNorm=
>> al"><span><br>=C2=A0</span><span></span></p><table style=3D"width: 100%;" w=
>> idth=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><=
>> td style=3D"padding: 0cm;" valign=3D"top">
>> <p class=3D"MsoNormal"><span style=3D"font-size: 7pt;">Ust.-Idnr.: =C2=A0DE=
>> 814703466<br>Steuer-Nr.: 359 5786 0059</span><span></span></p></td><td sty=
>> le=3D"padding: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"f=
>> ont-size: 7pt;">Amtsgericht Gelsenkirchen, HRB 8639<br>
>> Sitz und Gerichtsstand Marl</span><span></span></p></td><td style=3D"paddin=
>> g: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"font-size: 7p=
>> t;">Gesch=C3=A4ftsf=C3=BChrer:<br>Joachim Matzek, Thorsten Wujek</span><spa=
>> n></span></p></td>
>> </tr></tbody></table></td></tr></tbody></table><p class=3D"MsoNormal"><span=
>>> =C2=A0</span></p><p class=3D"MsoNormal"><span>=C2=A0</span></p><p class=3D=
>> "MsoNormal">=C2=A0</p></div></div><br>_____________________________________=
>> __________<br>
>> wasc-wafec mailing list<br>
>> <a href=3D"mailto:wasc-wafec at lists.webappsec.org">wasc-wafec at lists.webappse=
>> c.org</a><br>
>> <a href=3D"http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.web=
>> appsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/listinfo/w=
>> asc-wafec_lists.webappsec.org</a><br>
>> <br></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Risti=C4=87<br=
>>> <br>
>> 
>> --0016e64651485dda0d049be05ecf--
>> 
>> 
>> --===============8326212383344298205==
>> Content-Type: text/plain; charset="us-ascii"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>> 
>> _______________________________________________
>> wasc-wafec mailing list
>> wasc-wafec at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>> 
>> --===============8326212383344298205==--
>> 
> 
> 
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
> 





More information about the wasc-wafec mailing list