[WASC-WAFEC] WAFEC v2 Step 1

Mark Kraynak mark at imperva.com
Thu Feb 10 09:53:33 EST 2011


I think starting from a wholesale rewrite is a questionable approach. IMO some of the vs stuff is still valid. And not in need of a complete rebuild.

Can we instead identify sections in Vs that are in need of update vs thou that are close. And then also make a list of sections to add that weren't adequately addressed in V1.

Connected by DROID on Verizon Wireless


-----Original message-----
From: Matthieu Estrade <mestrade at apache.org>
To: "robert at webappsec.org" <robert at webappsec.org>
Cc: "wasc-wafec at lists.webappsec.org" <wasc-wafec at lists.webappsec.org>
Sent: Thu, Feb 10, 2011 14:46:11 GMT+00:00
Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1


Le 9 févr. 2011 à 23:58, robert at webappsec.org a écrit :

>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t
>> for a little while longer. It's much better to discuss the common WAF use
>> cases, and from that deduce how to formulate a criteria that would help
>> users determine if the products they are evaluating are suitable for the us=
>> e
>> cases they wish to pursue.
>
>
> I agree. After building out these use cases then see what is and isn't in v1 and create
> the new sections/update the old ones.
>

+1

imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications.
Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs.

Matthieu


> Regards,
> - Robert Auger
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
>
>>
>> For the record, my impression of WAFECv1 is that it's great for the guys
>> like me, who are interested in how WAFs operate, but not as useful for
>> end-users, who just want to take care of a problem they have.
>>
>> In addition, I have some questions:
>>
>> - What is content switching
>> - What DoS aspects of HTML5?
>>
>> On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
>> Thorsten.Wujek at stein-edv.de> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> Thanks to everybody for showing so much interest in evolving WAFEC v2.
>>>
>>>
>>>
>>> Today I would like to present the first, initial step of our project. Aft=
>> er
>>> that I or my brother will be able to provide a detailed schedule and goal
>>> definition as well as how the communication will be organized.
>>>
>>>
>>>
>>> 1.)    I would like to name those, who have confirmed their participation
>>> explicitly on the WASC / WAFEC Website. If you do not want that, please l=
>> et
>>> me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
>>>
>>> 2.)    As stated in the first mail, there should be a review of WAFEC v1
>>> and it would be great, if you could start with your or your customers
>>> experiences regarding the use of WAFEC v1.
>>> Let me be the one starting the discussion in short words:
>>>
>>> i.)           There are a lot off criteria regarding content switching,
>>> which is irritating if you speak about WAF
>>> ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC
>>> criteria regarding that issue
>>> iii.)         WAFEC should give customers or consultants the ability to
>>> judge positive or negative techniques as well as training, at the moment =
>> it
>>> is just showing capabilities
>>>
>>> iv.)         The actual version is not helpful if you want to evaluate
>>> management or administrative capabilities
>>>
>>>
>>>
>>> These are my 5 cent
>>>
>>> 3.)    Last but not least there should be an overall confirmation if the
>>> suggested topics should be discussed in this project completely and how
>>> these points should be prioritized.
>>>
>>>
>>>
>>> Awaiting your comments.
>>>
>>>
>>>
>>> Thorsten
>>>
>>>
>>>
>>>
>>> Mit freundlichen Gr=C3=BC=C3=9Fen
>>> STEIN-IT GmbH
>>> Thorsten Wujek
>>> technischer Gesch=C3=A4ftsf=C3=BChrer
>>> technical CEO
>>>
>>> *MCT,MCA,MASE,CITA-P***
>>>
>>>
>>>
>>>
>>> Neckarstra=C3=9Fe 4. 45768 Marl
>>> Fon +49 23 65 . 92 44 - 31
>>> Fax +49 23 65 . 92 44 - 44
>>>
>>> www.stein-edv.de<http://www.stein-edv.de>
>>> www.sony-repair.de<http://www.sony-repair.de>
>>> Thorsten.Wujek at stein-edv.de <thorsten.wujek at stein-edv.de>
>>>
>>>
>>>
>>>
>>> Ust.-Idnr.:  DE 814703466
>>> Steuer-Nr.: 359 5786 0059
>>>
>>> Amtsgericht Gelsenkirchen, HRB 8639
>>> Sitz und Gerichtsstand Marl
>>>
>>> Gesch=C3=A4ftsf=C3=BChrer:
>>> Joachim Matzek, Thorsten Wujek
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> wasc-wafec mailing list
>>> wasc-wafec at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
>> g
>>>
>>>
>>
>>
>> --=20
>> Ivan Risti=C4=87
>>
>> --0016e64651485dda0d049be05ecf
>> Content-Type: text/html; charset=UTF-8
>> Content-Transfer-Encoding: quoted-printable
>>
>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t for a little while longer. It's much better to discuss the common WAF=
>> use cases, and from tha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20110210/e0873b21/attachment-0003.html>


More information about the wasc-wafec mailing list