[WASC-WAFEC] WAFEC v2 Step 1
rcbarnett at gmail.com
Thu Feb 10 12:54:21 EST 2011
I will make these comments very brief (we can discuss them later in detail)
1. WAFEC is primarily used as an RFP document for end users so we should
focus on this from a data sharing perspective and come up with a different
method (i.e no more spreadsheets please)
2. We need to have a minimum capabilities requirements section so end users
know whether or not they should also be considering Palo Alto or
TippingPoint. What features are unique to WAF.
3. It would be great to have a decision tree type of interface where,
depending on the end users main concern, they can get a customized view of
data. For instance when they choose the deployment mode (out of line vs.
reverse proxy vs. bridge), then the remaining sections are applicable
(reference the deployment method capabilities matrix that Ivan linked to).
We could also expand this to cover use-case scenarios. Basically, we could
remove many "N/A" responses by simply removing it entirely from the view.
4. We should think about the structure of the document to see if there is a
better order of topics. As was already mentioned by Ivan we should
probably start with Use-Cases. Why is the user interested in WAF? PCI?
Recently Hacked? These scenarios will dictate items such as deployment
modes and blocking capabilities.
From: "Wujek Thorsten [STEIN-IT GmbH]" <Thorsten.Wujek at stein-edv.de>
Date: Wed, 9 Feb 2011 22:28:18 +0100
To: "wasc-wafec at lists.webappsec.org" <wasc-wafec at lists.webappsec.org>
Subject: [WASC-WAFEC] WAFEC v2 Step 1
> Thanks to everybody for showing so much interest in evolving WAFEC v2.
> Today I would like to present the first, initial step of our project. After
> that I or my brother will be able to provide a detailed schedule and goal
> definition as well as how the communication will be organized.
> 1.) I would like to name those, who have confirmed their participation
> explicitly on the WASC / WAFEC Website. If you do not want that, please let me
> know, otherwise I take silence as an ³OK².
> 2.) As stated in the first mail, there should be a review of WAFEC v1 and
> it would be great, if you could start with your or your customers experiences
> regarding the use of WAFEC v1.
> Let me be the one starting the discussion in short words:
> i.) There are a lot off criteria regarding content switching, which
> is irritating if you speak about WAF
> ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC
> criteria regarding that issue
> iii.) WAFEC should give customers or consultants the ability to judge
> positive or negative techniques as well as training, at the moment it is just
> showing capabilities
> iv.) The actual version is not helpful if you want to evaluate
> management or administrative capabilities
> These are my 5 cent
> 3.) Last but not least there should be an overall confirmation if the
> suggested topics should be discussed in this project completely and how these
> points should be prioritized.
> Awaiting your comments.
> Mit freundlichen Grüßen
> STEIN-IT GmbH
> Thorsten Wujek
> technischer Geschäftsführer
> technical CEO
> Neckarstraße 4. 45768 Marl
> Fon +49 23 65 . 92 44 - 31
> Fax +49 23 65 . 92 44 - 44www.stein-edv.de <http://www.stein-edv.de/>
> www.sony-repair.de <http://www.sony-repair.de/>
> Thorsten.Wujek at stein-edv.de <mailto:thorsten.wujek at stein-edv.de>
> Ust.-Idnr.: DE 814703466
> Steuer-Nr.: 359 5786 0059Amtsgericht Gelsenkirchen, HRB 8639
> Sitz und Gerichtsstand MarlGeschäftsführer:
> Joachim Matzek, Thorsten Wujek
> _______________________________________________ wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wasc-wafec