[WASC-WAFEC] What should we change in WAFEC 2.0?

Ryan Barnett rcbarnett at gmail.com
Thu Jun 7 07:47:41 EDT 2012


Ivan Ristic had previously created a "Deployment Method Capabilities Matrix"
that is on gooogle docs -
https://docs.google.com/document/d/1_wnWjug9cAuvb1uw4OPPHU1oks0D5EAw-tcl31Ot
a28/edit?pli=1

You could start with that.

-Ryan

From:  Ido Breger <I.Breger at F5.com>
Date:  Thu, 7 Jun 2012 11:35:08 +0000
To:  Ofer Shezaf <ofer at shezaf.com>, "wasc-wafec at lists.webappsec.org"
<wasc-wafec at lists.webappsec.org>
Subject:  Re: [WASC-WAFEC] What should we change in WAFEC 2.0?

> Thinking a bit more on the deployment modes section, would it make sense to
> elaborate on which features may not available per deployment mode?
>  
> 
> From: wasc-wafec-bounces at lists.webappsec.org
> [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf Of Ofer Shezaf
> Sent: Wednesday, June 06, 2012 2:39 PM
> To: wasc-wafec at lists.webappsec.org
> Subject: [WASC-WAFEC] What should we change in WAFEC 2.0?
>  
>  
> Since you are all very quiet, I understand that WAFEC 2 will solve my pain and
> needs only J
>  
> To that end, let me start with summarizing issues raised in the previous
> discussions on the mailing list (which I actually went and readŠ).
>  
> No specific order intended. This is what you wrote, though I must say I think
> it captures well the issues I am aware of and that generally speaking I agree
> with most.
>  
> 1.      Remove non WAF related criteria for example around application
> delivery. 
> 
> ·        While integrating a WAF with other solutions is compelling to the
> client, it is not directly about WAFs and is also unbounded. This does present
> the challenge deciding what is relevant to a WAF in border cases such as an
> SSO functionality
> 
> 2.      Update the list of threats covered
> 
> 3.      Focus on customer use cases rather than how a WAF operates
> 
> ·        I think there was some hidden controversy here as I read opinions to
> focus on ³technical² which I take to be opposite. I personally very much agree
> with this comment.
> 
> 4.      Not just a laundry list ­
> 
> ·        Classify the importance of requirements. I believe that a minimal
> approach specifying several levels, for example: ³mandatory², ³important²,
> ³nice to have² and ³site specific².
> 
> ·        Another complementing idea is to classify requirements as
> ³security²/²functionality²/²performance² etc. letting the user determine if he
> prefers security over functionality etc.
> 
> ·        This would also provide the minimum requirements for a solution to be
> a WAF ­ the ³mandatory² requirements.
> 
> ·        Regarding site specific requirements, it should be easy to the user
> to determine his own requirements, for example using a decision tree.
> 
> 5.      The ³ethical² questions:
> 
> ·        How to address alternative solutions such as fixing the code?
> 
> 6.      Outreach ­ beyond the document
> 
> ·        Approaching NSS, ICSA and the likes to use WAFEC
> 
> ·        Release process, PR etc.
> 
> ·        Managing a list of public references to WAFEC
> 
> ·        Promote actual evaluations data sharing - No more spreadsheets.
> 
> 7.      Specific notes on V1, I have collected for further work.
> 
>  
> A major question raised with opinions on both sides was a re-write vs. an
> update. I do think that understanding the requirements should direct that.
> Some issues raised which directly relate to that are:
> 1.      Is the order of sections correct?
> 
> 2.      Incorporating the German OWASP chapter work on the same subject:
> http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
> 
>  
> 
> ~ Ofer
>  
> 
> From: Ofer Shezaf [mailto:ofer at shezaf.com]
> Sent: Thursday, May 31, 2012 1:45 PM
> To: wasc-wafec at lists.webappsec.org
> Subject: WAFEC 2.0 phase 1: exploratory discussion (deadline: June 14th)
>  
> Thanks to all who volunteered to contribute to this project going forward (and
> those who didn¹t ­ you still can!)
>  
> I would like to boot up the project with a short exploratory phase identifying
> why we need a new release and therefore what we need in it.
>  
> To guide the discussion, I think that the reasons we need v2 fall into two
> categories:
> 1.     Things that have changed - new (or obsolete) deployment modes,
> techniques, attacks, or even something new altogether.
> 2.     Issues we discovered in WAFEC over the years. Some issues I encountered
> are identifying specific requirements and sorting out what¹s important and
> what¹s not.
>  
> From this discussion I hope to derive a mission statement, a tasks list and
> therefore a schedule for the V2 project. All those will be the next phase.
>  
> I would give this phase two weeks (until June 14th), however I am on vacation
> from the 9th, so would accept input but not join the discussion on the last
> few days.
>  
> I would also want to thank Thorsten and Mirko for leading the project until
> now. I do hope that I will get from you all more cooperation than they did! I
> would also want to extend a personal apology to Thorsten and Mirko as the
> leader switch was not well coordinated. Thorsten and I discussed this over the
> last week and he gracefully agreed to let me give a try to leading this
> project forward.
>  
> Thank you all!
> ~ Ofer
>  
> Ofer Shezaf
> [+972-54-4431119; ofer at shezaf.com, www.shezaf.com <http://www.shezaf.com> ]
>  
> _______________________________________________ wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20120607/5b0e26f4/attachment-0003.html>


More information about the wasc-wafec mailing list