[WASC-WAFEC] WAFEC v2 Step 1

Wujek Thorsten [STEIN-IT GmbH] Thorsten.Wujek at stein-edv.de
Thu Feb 10 10:21:00 EST 2011


I think this is the point I would like to achieve with the discussion.
From my point of view  what we are doing right now is reviewing v1, maybe in an abstract way but we do. What I have extracted from your mail is that V1 is not covering todays use cases and that there are areas within v1 which are not specific enough.
But is there anything good in v1, otherwise the essence would be “forget it and start from scratch” what in my opinion will partly be like “reinventing the wheel”.

So guys keep going and please do not forget point 3.)

I will collect your opinions and provide them in a structured form.

@Ivan:                 there will be more DDOS attacks in the future because of HTML 5 WebWorker for more info see: http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html

~Thorsten




Von: wasc-wafec-bounces at lists.webappsec.org [mailto:wasc-wafec-bounces at lists.webappsec.org] Im Auftrag von Mark Kraynak
Gesendet: Donnerstag, 10. Februar 2011 15:54
An: Matthieu Estrade; robert at webappsec.org
Cc: wasc-wafec at lists.webappsec.org
Betreff: Re: [WASC-WAFEC] WAFEC v2 Step 1

I think starting from a wholesale rewrite is a questionable approach. IMO some of the vs stuff is still valid. And not in need of a complete rebuild.

Can we instead identify sections in Vs that are in need of update vs thou that are close. And then also make a list of sections to add that weren't adequately addressed in V1.

Connected by DROID on Verizon Wireless


-----Original message-----
From: Matthieu Estrade <mestrade at apache.org>
To: "robert at webappsec.org" <robert at webappsec.org>
Cc: "wasc-wafec at lists.webappsec.org" <wasc-wafec at lists.webappsec.org>
Sent: Thu, Feb 10, 2011 14:46:11 GMT+00:00
Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1

Le 9 févr. 2011 à 23:58, robert at webappsec.org<mailto:robert at webappsec.org> a écrit :

>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t
>> for a little while longer. It's much better to discuss the common WAF use
>> cases, and from that deduce how to formulate a criteria that would help
>> users determine if the products they are evaluating are suitable for the us=
>> e
>> cases they wish to pursue.
>
>
> I agree. After building out these use cases then see what is and isn't in v1 and create
> the new sections/update the old ones.
>

+1

imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications.
Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs.

Matthieu


> Regards,
> - Robert Auger
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
>
>>
>> For the record, my impression of WAFECv1 is that it's great for the guys
>> like me, who are interested in how WAFs operate, but not as useful for
>> end-users, who just want to take care of a problem they have.
>>
>> In addition, I have some questions:
>>
>> - What is content switching
>> - What DoS aspects of HTML5?
>>
>> On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
>> Thorsten.Wujek at stein-edv.de<mailto:Thorsten.Wujek at stein-edv.de>> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> Thanks to everybody for showing so much interest in evolving WAFEC v2.
>>>
>>>
>>>
>>> Today I would like to present the first, initial step of our project. Aft=
>> er
>>> that I or my brother will be able to provide a detailed schedule and goal
>>> definition as well as how the communication will be organized.
>>>
>>>
>>>
>>> 1.)    I would like to name those, who have confirmed their participation
>>> explicitly on the WASC / WAFEC Website. If you do not want that, please l=
>> et
>>> me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
>>>
>>> 2.)    As stated in the first mail, there should be a review of WAFEC v1
>>> and it would be great, if you could start with your or your customers
>>> experiences regarding the use of WAFEC v1.
>>> Let me be the one starting the discussion in short words:
>>>
>>> i.)           There are a lot off criteria regarding content switching,
>>> which is irritating if you speak about WAF
>>> ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC
>>> criteria regarding that issue
>>> iii.)         WAFEC should give customers or consultants the ability to
>>> judge positive or negative techniques as well as training, at the moment =
>> it
>>> is just showing capabilities
>>>
>>> iv.)         The actual version is not helpful if you want to evaluate
>>> management or administrative capabilities
>>>
>>>
>>>
>>> These are my 5 cent
>>>
>>> 3.)    Last but not least there should be an overall confirmation if the
>>> suggested topics should be discussed in this project completely and how
>>> these points should be prioritized.
>>>
>>>
>>>
>>> Awaiting your comments.
>>>
>>>
>>>
>>> Thorsten
>>>
>>>
>>>
>>>
>>> Mit freundlichen Gr=C3=BC=C3=9Fen
>>> STEIN-IT GmbH
>>> Thorsten Wujek
>>> technischer Gesch=C3=A4ftsf=C3=BChrer
>>> technical CEO
>>>
>>> *MCT,MCA,MASE,CITA-P***
>>>
>>>
>>>
>>>
>>> Neckarstra=C3=9Fe 4. 45768 Marl
>>> Fon +49 23 65 . 92 44 - 31
>>> Fax +49 23 65 . 92 44 - 44
>>>
>>> www.stein-edv.de<http://www.stein-edv.de>
>>> www.sony-repair.de<http://www.sony-repair.de>
>>> Thorsten.Wujek at stein-edv.de<mailto:Thorsten.Wujek at stein-edv.de> <thorsten.wujek at stein-edv.de<mailto:thorsten.wujek at stein-edv.de>>
>>>
>>>
>>>
>>>
>>> Ust.-Idnr.:  DE 814703466
>>> Steuer-Nr.: 359 5786 0059
>>>
>>> Amtsgericht Gelsenkirchen, HRB 8639
>>> Sitz und Gerichtsstand Marl
>>>
>>> Gesch=C3=A4ftsf=C3=BChrer:
>>> Joachim Matzek, Thorsten Wujek
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> wasc-wafec mailing list
>>> wasc-wafec at lists.webappsec.org<mailto:wasc-wafec at lists.webappsec.org>
>>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
>> g
>>>
>>>
>>
>>
>> --=20
>> Ivan Risti=C4=87
>>
>> --0016e64651485dda0d049be05ecf
>> Content-Type: text/html; charset=UTF-8
>> Content-Transfer-Encoding: quoted-printable
>>
>> I am not so sure we should start by reviewing WAFECv1. We should let it res=
>> t for a little while longer. It's much better to discuss the common WAF=
>> use cases, and from tha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20110210/66d1b481/attachment-0003.html>


More information about the wasc-wafec mailing list