[WASC-WAFEC] WAFEC v1.0 - Section 1

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Mar 5 04:14:41 EST 2011


All,

I have the following comments related to Section 1 of WAFEC v1.0 i.e.
pp4-7 based on a very quick rereading (i.e. I could be wrong)

1.1 - Should diagrams be included illustrating 1.1.1 - 1.1.4?  These
could be inserted as an Appendix

1.2 - Can we change the heading to "Insufficient Transport Layer
Protection" as per
http://projects.webappsec.org/w/page/13246945/Insufficient-Transport-Layer-Protection
?

1.2 - Should we include a reference to Common Criteria due to the
inclusion of FIPS 140-2?

1.2 - The reference to the different levels above Level 1 for FIPS
140-2 should be removed due to their relationship to the HSM i.e.
create a subsection for HSM.

1.2 - SSL/TLSv3 Hardware Acceleration should include a reference to a
separate HSM and FIPS 140-2.

1.2 - Should a technical audit procedure (e.g. using OpenSSL) be
included to verify the SSL/TLSv3 implementation?

1.2 - I suspect Ivan Ristic might wish to add to this due to his work
with www.ssllabs.org?

1.3 - Can "Traffic Blocking" be extended/clarified to include the
numerous ways to terminate a TCP connection i.e. drop, RST, FIN, etc?

1.4 - For appliances, can a mention of patching in relation to its EUL
be included as I have encountered a number which if patched void the
EUL?

1.4 - Common Criteria, etc is not mentioned but would be a factor in
purchasing an appliance for Government but is not specified within
"Method of Delivery", can this be specified?


-- 
Regards,
Christian Heinrich

http://www.linkedin.com/in/ChristianHeinrich

Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au




More information about the wasc-wafec mailing list