[WASC-WAFEC] WAFEC v2 Step 1

Achim Hoffmann websec10 at sic-sec.org
Sun Feb 13 08:45:18 EST 2011


Hi all,

I'll chime in to this discussion by quoting Thorsten's original mail, but also
some replies without explizitely quoting them. Hope you get it anyhow ...

For details, see inline below.
Achim

Am 09.02.2011 22:28, schrieb Wujek Thorsten [STEIN-IT GmbH]:
> 1.)    I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK".

Confirmed.
According my experiance with other such projects I'd like to see a list
of contributers and an additional one for reviewers (Robert may remember
why I address this:).

> 2.)    As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1.
> Let me be the one starting the discussion in short words:

I'd vote like Ryan that we first focus on the capabilities and requirements
*independent* from any vendor preferences or customer wishes.
I'd like to have WAFEC more focus on the technical things, see iv.) below.

> 
> i.)           There are a lot off criteria regarding content switching, which is irritating if you speak about WAF

Agreed, see iv.) below.

> ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue
> iii.)         WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities

This is very important, as you want to address security first or functionality
(of the website) first. Johanne already quoted for the security first focus.
Other vendors and some customers will stress the single-point-of-failture aka
functionality argument. I expect controversal discussions as this is a fundamental
part (mainly for the sales people) of some WAFs.

> iv.)         The actual version is not helpful if you want to evaluate management or administrative capabilities

I agree that WAFEC (v1) is not helpful there. That's why we've written
	http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
which ia about: evaluation, administratiuon, operation, ...
(sorry for some kind of self-adulation:)

As we're thinking about "WAF: Best Practices (v2) too, does it make sense to
focus on the facts/capabilities here in WAFEC and let "usage" go to the best
pratice document. I'm open for your minds. I'll be definitely part of both worlds.

> These are my 5 cent
> 
> 
> 3.)    Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized.

See iv.)
 
> Awaiting your comments.
> 
> Thorsten
> 





More information about the wasc-wafec mailing list