[WASC-WAFEC] WAFEC workshop in Athens

Ofer Shezaf ofer at shezaf.com
Fri Aug 17 16:16:57 EDT 2012

Hi All,


Sorry for the long delay (it is summer after all). I hope to boot the next
phase shortly based on your valuable feedback, but when finally working on
that I had the time to summarize the workshop I held at OWASP AppSec
Research in Athens last month:


Participation was low (6 people). It’s not just the hour (6pm after a hot
and humid day at the Athens University campus) or a marketing failure. It is
also the rift between the OWASP crowd and WAFs. One key take from that is
that WAFEC outreach is an important activity.


I presented a straw man for my thoughts on how we should move further based
on the discussion on this mailing list and I got some good feedback:


·         WAFEC needs to define what a WAF is


·         Focus on use cases:

o   Use cases are what one uses a WAF for, not how one deploys a WAF

o   One use case is for logging and troubleshooting (is this security


·         Add a definitions chapter 


·         There are qualitative criteria, for example:

o   Usability

o   Learning curve  


·         With regard to what to include/exclude:

o   Focus on is specific to A WAF based on the definition above

o   Use common sense to decide:

§  FIPs is very relevant since WAFs uniquely store private keys

§  CE is generic to any appliance so should be skipped.


~ Ofer


Ofer Shezaf

[+972-54-4431119; ofer at shezaf.com, www.shezaf.com]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20120817/8a6f3561/attachment-0003.html>

More information about the wasc-wafec mailing list