[WASC-WAFEC] WAFEC v2 Step 1

Achim Hoffmann websec10 at sic-sec.org
Wed Feb 23 09:04:18 EST 2011


Am 23.02.2011 11:18, schrieb Ido Breger:
> Hi Christian,
> I think that Mark described accurately how customers are using WAFs, eventually, fixing a vulnerability at the code level in addition to WAF (or some will say instead of WAF) is strictly a business decision, I am not sure that educating customers on how to perform risk assessment falls into the scope of WAFEC, this is just a too heavy subject, In addition, because it is a business decision and every business is different,  there isn't a right or wrong here. I do believe that the audience that WAFEC is speaking to, understands it.

The "business decission" is covered (at least partially) in 
	http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
(as I already explained in an earlyer mail)

I suggest that the members of this list or the maintainer) makes a decission about
the scope and borders of what WAFEC v2 should describe.

Achim




More information about the wasc-wafec mailing list