Achim Hoffmann websec10 at sic-sec.org
Wed Feb 23 09:04:18 EST 2011

Am 23.02.2011 11:18, schrieb Ido Breger:
> Hi Christian,
> I think that Mark described accurately how customers are using WAFs, eventually, fixing a vulnerability at the code level in addition to WAF (or some will say instead of WAF) is strictly a business decision, I am not sure that educating customers on how to perform risk assessment falls into the scope of WAFEC, this is just a too heavy subject, In addition, because it is a business decision and every business is different,  there isn't a right or wrong here. I do believe that the audience that WAFEC is speaking to, understands it.

The "business decission" is covered (at least partially) in 
(as I already explained in an earlyer mail)

I suggest that the members of this list or the maintainer) makes a decission about
the scope and borders of what WAFEC v2 should describe.


More information about the wasc-wafec mailing list