[WASC-WAFEC] IronBee -- a new Apache-licensed web application firewall

Ryan Barnett rcbarnett at gmail.com
Wed Feb 23 08:05:59 EST 2011


On 2/23/11 4:23 AM, "Ivan Ristic" <ivan.ristic at gmail.com> wrote:

>On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich
><christian.heinrich at cmlh.id.au> wrote:
>> Ivan,
>>
>> On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic <ivan.ristic at gmail.com>
>>wrote:
>>> I am writing to this list because I expect there will be an overlap
>>> between WAFEC and the documentation effort at IronBee. In the next
>>> week or so we will start a new section on our wiki to enumerate all
>>> the relevant attacks against web applications and then document what
>>> web application firewalls can do to address them (with a view to
>>> implement those defences in IronBee).
>>>
>>> We should perhaps include a copy of the wiki content in WAFEC itself.
>>> After all, one of our goals would be helping end users to understand
>>> what WAFs can and cannot do.
>>
>> Can I recommend that this be extended to ModSecurity (possibly
>> completed by Ryan) so that a common benchmark can be established with
>> the intent of this body of work possibly being reused by other WAF
>> vendors?
>
>That's absolutely fine. Our only requirement is that any stuff that
>gets put into IronBee is licensed under Apache Software License v2.
>
>Yesterday I actually started writing one of the pages to establish a
>template:
>
>https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF


May I suggest that we create this wiki content on the wasc projects site?

Also - we may want to start from the top with WAFECv2 and re-define a
definition for a web application firewall.  The definition on the WASC
Glossary page 
(http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary)
could use some updating -

"Web Application Firewall: An intermediary device, sitting between a
web-client and a web server, analyzing OSI Layer-7 messages for violations
in the programmed security policy. A web application firewall is used as a
security device protecting the web server from attack."

This does not mention software only WAF and is also narrowly focused on
attack prevention.  As I mentioned in an earlier email, we need a
definition that uniquely defines WAF.  Just by reading this current
definition, IPS appliances would fit...

Here is my first draft of an updated definition -

Web Application Firewall: A web traffic (HTTP(S)/XML) security policy
enforcement and auditing layer (intermediary device, web server plugin or
application layer filter) used to prevent both inbound attacks and
outbound data leakages.

-Ryan

>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://www.linkedin.com/in/ChristianHeinrich
>>
>> Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
>> SkypeID: cmlh.id.au
>>
>
>
>
>-- 
>Ivan Ristić
>
>_______________________________________________
>wasc-wafec mailing list
>wasc-wafec at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org






More information about the wasc-wafec mailing list