Christian Heinrich christian.heinrich at cmlh.id.au
Sat Feb 19 17:09:52 EST 2011


On Sat, Feb 19, 2011 at 12:41 PM, Mark Kraynak <mark at imperva.com> wrote:
> The ICSA already has a WAF certification program.  I think working with them
> to include some part of this in their process would be an easier (and maybe
> more cost effective) solution.

I would prefer to avoid ICSA due to their lack of creditability based
on http://attrition.org/errata/charlatan/icsa_labs/ and more recently
the non-event that was http://www.antievasion.com/

On Sat, Feb 19, 2011 at 12:41 PM, Mark Kraynak <mark at imperva.com> wrote:
> This is a tried and true topic for endless debate.  In my experience,
> organizations for the most part fail at patching effectively and those that
> don’t do the “short term” virtual patching get ineffective protection in the
> long term as their patching never happens or happens incorrectly.
> Regardless, I think the spec for a WAF evaluation should be one step removed
> from taking a side in this issue.  If we could agree that virtual patching
> is a function to be expected of a WAF and that there are characteristics of
> how well a WAF does this that can be evaluated as a part of WAFEC, can we
> leave alone providing advice on what an organization’s overall patching
> strategy should be?

To clarify, I wasn't referring to the patching strategy, rather that a
WAF isn't the solution for poor coding, such as input/output

Ultimately, if this body of work is to be accepted by the community
and not met with skepticism then it must address the root cause.

Christian Heinrich


Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au

More information about the wasc-wafec mailing list