[WASC-WAFEC] IronBee -- a new Apache-licensed web application firewall

Achim Hoffmann websec10 at sic-sec.org
Wed Feb 23 08:53:21 EST 2011


Am 23.02.2011 14:05, schrieb Ryan Barnett:
> On 2/23/11 4:23 AM, "Ivan Ristic" <ivan.ristic at gmail.com> wrote:

>> Yesterday I actually started writing one of the pages to establish a
>> template:
>>
>> https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF
> 
> 
> May I suggest that we create this wiki content on the wasc projects site?

I'd like to contribute to the wiki too, as I've already something about
"WAF and CSRF protections" prepared for a OWASP summit session which didn't
take place.


> Also - we may want to start from the top with WAFECv2 and re-define a
> definition for a web application firewall.  The definition on the WASC
> Glossary page 
> (http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary)
> could use some updating -
> 
> "Web Application Firewall: An intermediary device, sitting between a
> web-client and a web server, analyzing OSI Layer-7 messages for violations
> in the programmed security policy. A web application firewall is used as a
> security device protecting the web server from attack."

There're so much definitions out, (IronBee actually uses a new word *SCNR*)
I guess this either becomes a lengthly discussion or a lengthly definition ...

> This does not mention software only WAF and is also narrowly focused on
> attack prevention.  As I mentioned in an earlier email, we need a
> definition that uniquely defines WAF.  Just by reading this current
> definition, IPS appliances would fit...

I agree that we should look at things like CSRFGuard, ESAPI and such too.
Does this make sence?


Achim




More information about the wasc-wafec mailing list