Christian Heinrich christian.heinrich at cmlh.id.au
Fri Feb 18 20:34:52 EST 2011


I would like to extend the thoughts from Ryan which I have quoted below:

On Fri, Feb 11, 2011 at 4:54 AM, Ryan Barnett <rcbarnett at gmail.com> wrote:

> I will make these comments very brief (we can discuss them later in detail)
> -
>    1. WAFEC is primarily used as an RFP document for end users so we
>    should focus on this from a data sharing perspective and come up with a
>    different method (i.e – no more spreadsheets please…)
>    2. We need to have a minimum capabilities requirements section so end
>    users know whether or not they should also be considering Palo Alto or
>    TippingPoint.  What features are unique to WAF.
>    3. It would be great to have a decision tree type of interface where,
>    depending on the end users main concern, they can get a customized view of
>    data.  For instance – when they choose the deployment mode (out of line vs.
>    reverse proxy vs. bridge), then the remaining sections are applicable
>    (reference the deployment method capabilities matrix that Ivan linked to).
>     We could also expand this to cover use-case scenarios.  Basically, we could
>    remove many "N/A" responses by simply removing it entirely from the view.
>    4. We should think about the structure of the document to see if there
>    is a better order of topics.  As was already mentioned by Ivan – we should
>    probably start with Use-Cases.  Why is the user interested in WAF?  PCI?
>     Recently Hacked?  These scenarios will dictate items such as deployment
>    modes and blocking capabilities.
1. was the predominate use of how it was communicated to the Australian
public i.e.

2. - 3.  Should a third party, such as http://www.nsslabs.com/,
http://www.dsd.gov.au/infosec/aisep/providers.htm, etc, be endorsed to
provide independence assurance of the claims made by various WAF vendors?

4. Specific to PCI 6.6 i.e.
  a. Would v2 be able to provide more indepth technical examples of "virtual
patching" and ROI?
  b. Should it advocate as a long term strategy code review over WAF i.e.
"virtual patching" should be considered short term?

Christian Heinrich


Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20110219/60358f56/attachment-0003.html>

More information about the wasc-wafec mailing list