Christian Heinrich christian.heinrich at cmlh.id.au
Wed Feb 23 18:20:18 EST 2011


On Wed, Feb 23, 2011 at 9:18 PM, Ido Breger <I.Breger at f5.com> wrote:
> Hi Christian,
> I think that Mark described accurately how customers are using WAFs, eventually, fixing a vulnerability at the code level in addition to WAF (or some will say instead of WAF) is strictly a business decision, I am not sure that educating customers on how to perform risk assessment falls into the scope of WAFEC, this is just a too heavy subject, In addition, because it is a business decision and every business is different,  there isn't a right or wrong here. I do believe that the audience that WAFEC is speaking to, understands it.

Economics would indicate that a "business" would accept the inherit
risk of poor web application security controls as the residual risk
can be mitigated by a WAF.

I am not expecting the WAFEC v2 to address this in detail, rather my
expectation would be a paragraph or two which mentions references for
further information towards the first few pages of the document.

Christian Heinrich


Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au

More information about the wasc-wafec mailing list