[WASC-WAFEC] WAFEC v2 Step 1
websec10 at sic-sec.org
Sun Feb 13 08:45:18 EST 2011
I'll chime in to this discussion by quoting Thorsten's original mail, but also
some replies without explizitely quoting them. Hope you get it anyhow ...
For details, see inline below.
Am 09.02.2011 22:28, schrieb Wujek Thorsten [STEIN-IT GmbH]:
> 1.) I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK".
According my experiance with other such projects I'd like to see a list
of contributers and an additional one for reviewers (Robert may remember
why I address this:).
> 2.) As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1.
> Let me be the one starting the discussion in short words:
I'd vote like Ryan that we first focus on the capabilities and requirements
*independent* from any vendor preferences or customer wishes.
I'd like to have WAFEC more focus on the technical things, see iv.) below.
> i.) There are a lot off criteria regarding content switching, which is irritating if you speak about WAF
Agreed, see iv.) below.
> ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue
> iii.) WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities
This is very important, as you want to address security first or functionality
(of the website) first. Johanne already quoted for the security first focus.
Other vendors and some customers will stress the single-point-of-failture aka
functionality argument. I expect controversal discussions as this is a fundamental
part (mainly for the sales people) of some WAFs.
> iv.) The actual version is not helpful if you want to evaluate management or administrative capabilities
I agree that WAFEC (v1) is not helpful there. That's why we've written
which ia about: evaluation, administratiuon, operation, ...
(sorry for some kind of self-adulation:)
As we're thinking about "WAF: Best Practices (v2) too, does it make sense to
focus on the facts/capabilities here in WAFEC and let "usage" go to the best
pratice document. I'm open for your minds. I'll be definitely part of both worlds.
> These are my 5 cent
> 3.) Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized.
> Awaiting your comments.
More information about the wasc-wafec