[WASC-WAFEC] What should we change in WAFEC 2.0?

Kenneth Salchow k.salchow at f5.com
Tue Jun 19 13:08:54 EDT 2012

I'm not sure what you are asking for Christian ... are you looking for customer references that state that customers have other solutions (SSO, SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF?  I kind of thought that we could all agree that customers weren't installing WAF devices all by themselves; that would be kind of simplistic if you ask me.

Further, yes, I do think we should mention all the regional certifications related to power consumption or other implementation issues.  As a customer (and while I'm not one now ... I was one once) those are ALL important things to me.  Why would I bother to investigate a solution that I would not be able to actually deploy because it doesn't meet the requirements of my environment?

However, if everyone thinks it is of no value to customers to know this kind of information ... then that's fine by me.  I just personally think you are doing a disservice to the end customer to simply dismiss these items.  Today's networks are far too complex to simply ignore how devices interact with each other.
From: Christian Heinrich [christian.heinrich at cmlh.id.au]
Sent: Tuesday, June 19, 2012 2:08 AM
To: Alexander Meisel
Cc: wasc-wafec at lists.webappsec.org; Kenneth Salchow
Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0?


On Mon, Jun 18, 2012 at 9:11 PM, Alexander Meisel
<alexander.meisel at artofdefence.com> wrote:
> I disagree with your take on this ...
> SSLvpn has nothing to do with WAF so it should not even be mentioned.
> Whatever your device does aside from WAF should not be part of the WAFec.
> Your devices consumes power as well. So should you mention all regional
> certifications in WAFec as well (it complies to; like TÜV, FCC etc.) ...
> probably not.

I would be willing to support this if Ken could provide a number of
supporting references from F5 customers (I am not expecting Ken to
have to post these to a public mailing list) based on his "As a
customer" quote below (I know Ken isn't a customer BTW) i.e.

> On 07.06.12 18:15, Kenneth Salchow wrote:
>> As a customer, I probably already have a number of other solutions and
>> it would be extremely valuable for me to know if any given WAF innately

The resulting draft section could be then voted on for
inclusion/exclusion in the upcoming release of WAFEC?

Christian Heinrich


More information about the wasc-wafec mailing list