[WASC-WAFEC] What should we change in WAFEC 2.0?

Or Katz katz3112 at gmail.com
Thu Jun 7 08:24:23 EDT 2012


Hi Ofer,
My thoughts:
1. I agree, WAF is a web application security filter and as such the focus
should be on its functionality.
3. I'm not sure this is what you meant in this section but my concern is
that security requirements (that are related to "how waf operates") will
have proper description.
e.g. - if WAF should protect from CSRF attack we need to have good
description that will differentiate between those that protect by inspect
referer header and those how rewrite data and add tokens.

Thanks.

Or Katz


On Wed, Jun 6, 2012 at 2:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:

> ** **
>
> Since you are all very quiet, I understand that WAFEC 2 will solve my pain
> and needs only J****
>
> ** **
>
> To that end, let me start with summarizing issues raised in the previous
> discussions on the mailing list (which I actually went and read…).****
>
> ** **
>
> No specific order intended. This is what you wrote, though I must say I
> think it captures well the issues I am aware of and that generally speaking
> I agree with most.****
>
> ** **
>
> **1.       ***Remove non WAF related criteria* for example around
> application delivery. ****
>
> **·         **While integrating a WAF with other solutions is compelling
> to the client, it is not directly about WAFs and is also unbounded. This
> does present the challenge deciding what is relevant to a WAF in border
> cases such as an SSO functionality ****
>
> **2.       ***Update the list of threats covered*****
>
> **3.       ***Focus on customer use cases rather than how a WAF operates**
> ***
>
> **·         **I think there was some hidden controversy here as I read
> opinions to focus on “technical” which I take to be opposite. I personally
> very much agree with this comment. ****
>
> **4.       ***Not just a laundry list* – ****
>
> **·         **Classify the importance of requirements. I believe that a
> minimal approach specifying several levels, for example: “mandatory”,
> “important”, “nice to have” and “site specific”.****
>
> **·         **Another complementing idea is to classify requirements as
> “security”/”functionality”/”performance” etc. letting the user determine if
> he prefers security over functionality etc.****
>
> **·         **This would also provide the minimum requirements for a
> solution to be a WAF – the “mandatory” requirements.****
>
> **·         **Regarding site specific requirements, it should be easy to
> the user to determine his own requirements, for example using a decision
> tree.****
>
> ***5.       ****The “ethical” questions:*
>
> **·         **How to address alternative solutions such as fixing the
> code?****
>
> **6.       ***Outreach* – beyond the document****
>
> **·         **Approaching NSS, ICSA and the likes to use WAFEC****
>
> **·         **Release process, PR etc.****
>
> **·         **Managing a list of public references to WAFEC****
>
> **·         **Promote actual evaluations data sharing - No more
> spreadsheets.****
>
> **7.       **Specific notes on V1, I have collected for further work.****
>
> ** **
>
> A major question raised with opinions on both sides was a re-write vs. an
> update. I do think that understanding the requirements should direct that.
> Some issues raised which directly relate to that are:****
>
> **1.       **Is the order of sections correct?****
>
> **2.       **Incorporating the German OWASP chapter work on the same
> subject:
> http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls**
> **
>
> ** **
>
> ~ Ofer****
>
> ** **
>
> *From:* Ofer Shezaf [mailto:ofer at shezaf.com]
> *Sent:* Thursday, May 31, 2012 1:45 PM
> *To:* wasc-wafec at lists.webappsec.org
> *Subject:* WAFEC 2.0 phase 1: exploratory discussion (deadline: June 14th)
> ****
>
> ** **
>
> Thanks to all who volunteered to contribute to this project going forward
> (and those who didn’t – you still can!)****
>
> ** **
>
> I would like to boot up the project with a short exploratory phase
> identifying why we need a new release and therefore what we need in it.***
> *
>
>  ****
>
> To guide the discussion, I think that the reasons we need v2 fall into two
> categories:****
>
> **1.      **Things that have changed - new (or obsolete) deployment
> modes, techniques, attacks, or even something new altogether.****
>
> **2.      **Issues we discovered in WAFEC over the years. Some issues I
> encountered are identifying specific requirements and sorting out what’s
> important and what’s not.****
>
> ** **
>
> From this discussion I hope to derive a mission statement, a tasks list
> and therefore a schedule for the V2 project. All those will be the next
> phase. ****
>
> ** **
>
> *I would give this phase two weeks (until June 14th), however I am on
> vacation from the 9th, so would accept input but not join the discussion
> on the last few days.*
>
> * *
>
> I would also want to thank Thorsten and Mirko for leading the project
> until now. I do hope that I will get from you all more cooperation than
> they did! I would also want to extend a personal apology to Thorsten and
> Mirko as the leader switch was not well coordinated. Thorsten and I
> discussed this over the last week and he gracefully agreed to let me give a
> try to leading this project forward.****
>
> ** **
>
> Thank you all!****
>
> ~ Ofer****
>
> ** **
>
> Ofer Shezaf****
>
> [+972-54-4431119; ofer at shezaf.com, www.shezaf.com]****
>
> ** **
>
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20120607/eb444930/attachment-0003.html>


More information about the wasc-wafec mailing list