[WASC-WAFEC] What should we change in WAFEC 2.0?

Ofer Shezaf ofer at shezaf.com
Fri Jun 8 11:15:41 EDT 2012

Thank you all for the great input. I am going to a week's vacation today and
will summarize all said, define draft goal and action plan when I am back.

~ Ofer

-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: Friday, June 08, 2012 3:08 AM
To: Ryan Barnett
Cc: Ofer Shezaf; wasc-wafec at lists.webappsec.org
Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0?


On Thu, Jun 7, 2012 at 11:18 PM, Ryan Barnett <rcbarnett at gmail.com> wrote:
> I recommend that we consider using a "Levels" approach similar to what 
> OWASP ASVS uses - http://code.google.com/p/owasp-asvs/wiki/ASVS.  This 
> way, we can group items and the user can be clear which items are 
> considered "core" WAF features and which ones provide added value.

As far as I am aware (i.e. I might be incorrect) Mike Boberski (former OWASP
Project Leader) based on the ASVS "Levels" on
http://www.commoncriteriaportal.org/ based on my reading of

I can assist with an introduction to
http://www.dsd.gov.au/infosec/aisep/providers.htm but due to the timezone
difference with Australia it might be worth liaising with those more locally
in North America.

Christian Heinrich


More information about the wasc-wafec mailing list