Christian Heinrich christian.heinrich at cmlh.id.au
Wed Feb 23 18:08:28 EST 2011


On Wed, Feb 23, 2011 at 7:40 PM, Mark Kraynak <mark at imperva.com> wrote:
> The first set of links (attrition.org) is indeed pretty old.  In my work with the ICSA I've found them to be at least as competent/authentic/etc as NSS (whom I've interacted with much less).  I don't have any experience with AISEF. As with anything YMMV. The problem I would foresee with independent testing is that to get it right, and more importantly to secure the cooperation of vendors, there needs to be a process by which the vendor can respond to any configuration errors that might result in their offering testing less well that it should. ICSA has a process for this that seems to work in getting vendor cooperation.  I haven't seen this from either of the other organizations you cite (though, again, I've worked with them less/none at all).

My experience with ICSA is rather dated i.e. when ICSA was referred to
as "National" i.e. NCSA

I believe a more recent comparison of the creditability of ICSA vs NSS
could be http://seclists.org/dailydave/2010/q4/10

That stated, we should leverage your contacts within ICSA to assist
with the creation of a methodology for evaluating WAF that is
repeatable by the end user?

I can also extend an invitation to
http://www.dsd.gov.au/infosec/aisep/providers.htm if needed?

> On the other point, I'm confused. Are you saying that the WAF's ability to perform input/output validations should not be a part of the WAFEC?

To clarify, I was stating that input/output validation (as an example)
could be performed by a WAF until the controls are within the web app
in which case they could co-exist as "defense in depth".

That stated, I believe that input/output validation should be
specified as a requirement during procurement in which to be built-in
to the web application.

Christian Heinrich


Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au

More information about the wasc-wafec mailing list