[WASC-WAFEC] What should we change in WAFEC 2.0?

matthieu.estrade mestrade at apache.org
Wed Jun 6 12:21:26 EDT 2012


Hi, my comments in the text.

> 1. REMOVE NON WAF RELATED CRITERIA for example around application
> delivery.
> · While integrating a WAF with other solutions is compelling to the
> client, it is not directly about WAFs and is also unbounded. This 
> does
> present the challenge deciding what is relevant to a WAF in border
> cases such as an SSO functionality

There is only a few WAF only product so it's difficult to exclude it 
from others features.
Then depending on analyst description, the WAF product is not very 
clear.

It's mostly about filtering, but what about availability ?
It can do strong authentication, and authorization, but is not doing 
SSO.
There is also all XML / SOAP attacks, it's badly handled by XML gateway 
today, and many WAF are doing this.


>
> 2. UPDATE THE LIST OF THREATS COVERED

I agree here, there is many things to add about JSON and XML parsing 
and analysis, SOAP, Ajax issues etc.

>
> 3. FOCUS ON CUSTOMER USE CASES RATHER THAN HOW A WAF OPERATES
>
> · I think there was some hidden controversy here as I read opinions
> to focus on "technical" which I take to be opposite. I personally 
> very
> much agree with this comment.
>
> 4. NOT JUST A LAUNDRY LIST -
>
> · Classify the importance of requirements. I believe that a minimal
> approach specifying several levels, for example: "mandatory",
> "important", "nice to have" and "site specific".
>
> · Another complementing idea is to classify requirements as
> "security"/"functionality"/"performance" etc. letting the user
> determine if he prefers security over functionality etc.
>
> · This would also provide the minimum requirements for a solution to
> be a WAF - the "mandatory" requirements.
>
> · Regarding site specific requirements, it should be easy to the
> user to determine his own requirements, for example using a decision
> tree.
>
> 5. THE "ETHICAL" QUESTIONS:
>
> · How to address alternative solutions such as fixing the code?
>
> 6. OUTREACH - beyond the document
>
> · Approaching NSS, ICSA and the likes to use WAFEC
>
> · Release process, PR etc.
>
> · Managing a list of public references to WAFEC
>
> · Promote actual evaluations data sharing - No more spreadsheets.
>
Depending companies who evaluate WAF, it's not easy to share this kind 
of informations.
But i agree that it could be better to share more here.


> 7. Specific notes on V1, I have collected for further work.
>
> A major question raised with opinions on both sides was a re-write
> vs. an update. I do think that understanding the requirements should
> direct that. Some issues raised which directly relate to that are:

WAFEC v1 is used by companies to evaluate vendors, we (vendor) receive 
the document and answer in a xls document, as asked.
imho, the current format with section is good and useful.

>
> 1. Is the order of sections correct?
>
> 2. Incorporating the German OWASP chapter work on the same subject:
> 
> http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
> [1]

I see this project as more on operation side than the WAFEC which is 
more when people are thinking to a WAF.
Just linking to this project inside WAFEC is a good point imho.

>
> ~ Ofer
>
> FROM: Ofer Shezaf [mailto:ofer at shezaf.com]
> SENT: Thursday, May 31, 2012 1:45 PM
> TO: wasc-wafec at lists.webappsec.org
> SUBJECT: WAFEC 2.0 phase 1: exploratory discussion (deadline: June
> 14th)
>
> Thanks to all who volunteered to contribute to this project going
> forward (and those who didn't - you still can!)
>
> I would like to boot up the project with a short exploratory phase
> identifying why we need a new release and therefore what we need in
> it.
>
> To guide the discussion, I think that the reasons we need v2 fall
> into two categories:
>
> 1. Things that have changed - new (or obsolete) deployment modes,
> techniques, attacks, or even something new altogether.
>
> 2. Issues we discovered in WAFEC over the years. Some issues I
> encountered are identifying specific requirements and sorting out
> what's important and what's not.
>
> From this discussion I hope to derive a mission statement, a tasks
> list and therefore a schedule for the V2 project. All those will be
> the next phase.
>
> I WOULD GIVE THIS PHASE TWO WEEKS (UNTIL JUNE 14TH), HOWEVER I AM ON
> VACATION FROM THE 9TH, SO WOULD ACCEPT INPUT BUT NOT JOIN THE
> DISCUSSION ON THE LAST FEW DAYS.
>
> I would also want to thank Thorsten and Mirko for leading the project
> until now. I do hope that I will get from you all more cooperation
> than they did! I would also want to extend a personal apology to
> Thorsten and Mirko as the leader switch was not well coordinated.
> Thorsten and I discussed this over the last week and he gracefully
> agreed to let me give a try to leading this project forward.
>
> Thank you all!
>
> ~ Ofer
>
> Ofer Shezaf
>
> [+972-54-4431119; ofer at shezaf.com [2], www.shezaf.com [3]]
>
>
>
> Links:
> ------
> [1] 
> http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
> [2] mailto:ofer at shezaf.com
> [3] http://www.shezaf.com





More information about the wasc-wafec mailing list