[WASC-WAFEC] WAFEC workshop in Athens

Ofer Shezaf ofer at shezaf.com
Fri Aug 17 16:16:57 EDT 2012


Hi All,

 

Sorry for the long delay (it is summer after all). I hope to boot the next
phase shortly based on your valuable feedback, but when finally working on
that I had the time to summarize the workshop I held at OWASP AppSec
Research in Athens last month:

 

Participation was low (6 people). It’s not just the hour (6pm after a hot
and humid day at the Athens University campus) or a marketing failure. It is
also the rift between the OWASP crowd and WAFs. One key take from that is
that WAFEC outreach is an important activity.

 

I presented a straw man for my thoughts on how we should move further based
on the discussion on this mailing list and I got some good feedback:

 

·         WAFEC needs to define what a WAF is

 

·         Focus on use cases:

o   Use cases are what one uses a WAF for, not how one deploys a WAF

o   One use case is for logging and troubleshooting (is this security
related?)

 

·         Add a definitions chapter 

 

·         There are qualitative criteria, for example:

o   Usability

o   Learning curve  

 

·         With regard to what to include/exclude:

o   Focus on is specific to A WAF based on the definition above

o   Use common sense to decide:

§  FIPs is very relevant since WAFs uniquely store private keys

§  CE is generic to any appliance so should be skipped.

 

~ Ofer

 

Ofer Shezaf

[+972-54-4431119; ofer at shezaf.com, www.shezaf.com]

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20120817/8a6f3561/attachment-0003.html>


More information about the wasc-wafec mailing list