Ido Breger I.Breger at F5.com
Wed Feb 23 05:18:51 EST 2011

Hi Christian,
I think that Mark described accurately how customers are using WAFs, eventually, fixing a vulnerability at the code level in addition to WAF (or some will say instead of WAF) is strictly a business decision, I am not sure that educating customers on how to perform risk assessment falls into the scope of WAFEC, this is just a too heavy subject, In addition, because it is a business decision and every business is different,  there isn't a right or wrong here. I do believe that the audience that WAFEC is speaking to, understands it.

-----Original Message-----
From: wasc-wafec-bounces at lists.webappsec.org [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf Of Christian Heinrich
Sent: Sunday, February 20, 2011 12:10 AM
To: Mark Kraynak
Cc: wasc-wafec at lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1


On Sat, Feb 19, 2011 at 12:41 PM, Mark Kraynak <mark at imperva.com> wrote:
> The ICSA already has a WAF certification program.  I think working 
> with them to include some part of this in their process would be an 
> easier (and maybe more cost effective) solution.

I would prefer to avoid ICSA due to their lack of creditability based on http://attrition.org/errata/charlatan/icsa_labs/ and more recently the non-event that was http://www.antievasion.com/

On Sat, Feb 19, 2011 at 12:41 PM, Mark Kraynak <mark at imperva.com> wrote:
> This is a tried and true topic for endless debate.  In my experience, 
> organizations for the most part fail at patching effectively and those 
> that don't do the "short term" virtual patching get ineffective 
> protection in the long term as their patching never happens or happens incorrectly.
> Regardless, I think the spec for a WAF evaluation should be one step 
> removed from taking a side in this issue.  If we could agree that 
> virtual patching is a function to be expected of a WAF and that there 
> are characteristics of how well a WAF does this that can be evaluated 
> as a part of WAFEC, can we leave alone providing advice on what an 
> organization's overall patching strategy should be?

To clarify, I wasn't referring to the patching strategy, rather that a WAF isn't the solution for poor coding, such as input/output validation.

Ultimately, if this body of work is to be accepted by the community and not met with skepticism then it must address the root cause.

Christian Heinrich


Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au

wasc-wafec mailing list
wasc-wafec at lists.webappsec.org

More information about the wasc-wafec mailing list