Wujek Thorsten [STEIN-IT GmbH] Thorsten.Wujek at stein-edv.de
Mon Feb 14 05:05:26 EST 2011

To all,

thank you for your reply. I will have in mind to give you all an additional week for comments. I will try to put the essence of your mails together and send it out next weekend.
So have a productive week.

~ Thorsten

-----Ursprüngliche Nachricht-----
Von: Achim Hoffmann [mailto:websec10 at sic-sec.org] 
Gesendet: Sonntag, 13. Februar 2011 14:45
An: wasc-wafec at lists.webappsec.org
Cc: Wujek Thorsten [STEIN-IT GmbH]
Betreff: Re: [WASC-WAFEC] WAFEC v2 Step 1

Hi all,

I'll chime in to this discussion by quoting Thorsten's original mail, but also some replies without explizitely quoting them. Hope you get it anyhow ...

For details, see inline below.

Am 09.02.2011 22:28, schrieb Wujek Thorsten [STEIN-IT GmbH]:
> 1.)    I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK".

According my experiance with other such projects I'd like to see a list of contributers and an additional one for reviewers (Robert may remember why I address this:).

> 2.)    As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1.
> Let me be the one starting the discussion in short words:

I'd vote like Ryan that we first focus on the capabilities and requirements
*independent* from any vendor preferences or customer wishes.
I'd like to have WAFEC more focus on the technical things, see iv.) below.

> i.)           There are a lot off criteria regarding content switching, which is irritating if you speak about WAF

Agreed, see iv.) below.

> ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue
> iii.)         WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities

This is very important, as you want to address security first or functionality (of the website) first. Johanne already quoted for the security first focus.
Other vendors and some customers will stress the single-point-of-failture aka functionality argument. I expect controversal discussions as this is a fundamental part (mainly for the sales people) of some WAFs.

> iv.)         The actual version is not helpful if you want to evaluate management or administrative capabilities

I agree that WAFEC (v1) is not helpful there. That's why we've written
which ia about: evaluation, administratiuon, operation, ...
(sorry for some kind of self-adulation:)

As we're thinking about "WAF: Best Practices (v2) too, does it make sense to focus on the facts/capabilities here in WAFEC and let "usage" go to the best pratice document. I'm open for your minds. I'll be definitely part of both worlds.

> These are my 5 cent
> 3.)    Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized.

See iv.)
> Awaiting your comments.
> Thorsten

More information about the wasc-wafec mailing list