[WASC-WAFEC] What should we change in WAFEC 2.0?

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Jun 28 21:43:21 EDT 2012


Ofer,

I found two relevant slides from WhiteHat’s 12th Website Security
Statistics Report:

1. http://www.slideshare.net/jeremiahgrossman/stat-swebinar062712/11
i.e. Mitigation of vulnerabilities (based on WASC Threat Matrix) in
implementing a WAF (this might be expanded in their report which
should be released today (Friday 29 June).

2. http://www.slideshare.net/jeremiahgrossman/stat-swebinar062712/15
i.e. Time that passes to identify and then remediate vulnerabilities
within the Source Code.

To avoid a conflict of interest we should invite others to provide
relevant statistics related to real world implementations of a WAF and
the time taken to fix a vulnerability in source code and then
calculate an average?

On Sun, Jun 10, 2012 at 11:17 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Ofer,
>
> On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>> 5.       The “ethical” questions:
>>
>> ·         How to address alternative solutions such as fixing the code?
>
> I am also willing to review and confirm that any perceived conflict of
> interest was removed from this section with consideration to
> http://blog.modsecurity.org/2010/10/modsecurity-user-survey-results-released.html


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-wafec mailing list