[WASC-WAFEC] What should we change in WAFEC 2.0?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Jun 6 19:41:01 EDT 2012


Ofer,

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> 1.       Remove non WAF related criteria for example around application
> delivery.
>
> ·         While integrating a WAF with other solutions is compelling to the
> client, it is not directly about WAFs and is also unbounded. This does
> present the challenge deciding what is relevant to a WAF in border cases
> such as an SSO functionality

I would recommend that if this change is accepted that the content
capture in V1 be transitioned to an Annexure  so that it is not lost
in the next release?

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> 2.       Update the list of threats covered

Can this be correlated to
http://projects.webappsec.org/w/page/13246978/Threat%20Classification
which might also help educate the consumer on the limitations and
benefits of WAF?

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> 3.       Focus on customer use cases rather than how a WAF operates
>
> ·         I think there was some hidden controversy here as I read opinions
> to focus on “technical” which I take to be opposite. I personally very much
> agree with this comment.

For this to benefit the end user the use cases would need to be
defined and then correlated to the relevant sections of WAFEC?

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> 5.       The “ethical” questions:
>
> ·         How to address alternative solutions such as fixing the code?

This would add creditability to WAFEC as we have identified and
addressed the conflict of interest of vendors.

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> 6.       Outreach – beyond the document
>
> ·         Approaching NSS, ICSA and the likes to use WAFEC
>
> ·         Release process, PR etc.
>
> ·         Managing a list of public references to WAFEC
>
> ·         Promote actual evaluations data sharing - No more spreadsheets.

This should be addressed once the next release of WAFEC is released to
the public - I would recommend escalating this to
http://webappsec.org/officers.shtml for guidance?

On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> A major question raised with opinions on both sides was a re-write vs. an
> update. I do think that understanding the requirements should direct that.
> Some issues raised which directly relate to that are:
>
> 1.       Is the order of sections correct?
>
> 2.       Incorporating the German OWASP chapter work on the same subject:
> http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls

I believe the easiest roadmap would be:

1. Update the existing WAFEC v1 sections
2. Correlate to
http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
3. Consider modifying the order of the sections of WAFEC V1
4. Publish as a major release i.e. v2

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list