[WASC-WAFEC] WASC/OWASP Web, Application Firewall Evaluation Criteria at AppSec EU2013

Ofer Shezaf ofer at shezaf.com
Wed Nov 14 04:31:39 EST 2012


I figured it out finally! The English accent you have is not Australian, it
is URLese! :-)

To the point:
* I think that your idea about creating a workshop based on a test case of
evaluating an open source WAF based on WAFEC is a good one. I would choose
ModSecurity as it would be of interest to more people. As mentioned by
Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
individual initiative. The closest we can get is creating the training
materials. If there is a volunteer to do so, I am willing to do include
creating such training material it in the project scope.

* As to certifying test labs to do WAFEC evaluation: I think we should
socialize WAFEC  with them to use it as  a reference is their work. Actual
certification is complex, prone to create problems (legal comes to mind) and
would probably not be endorsed by ICSA and NSS unless we make WAFEC
ubiquitous. OWASP did not progress in this respect in any project as far as
I know even though the issue is raised from time to time. To sum up: this is
not something we ready for.

~ Ofer

-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: Wednesday, November 14, 2012 4:02 AM
To: Ofer Shezaf
Cc: Achim Hoffmann; wasc-wafec at lists.webappsec.org
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at
AppSec EU2013


On Wed, Nov 14, 2012 at 9:30 AM, Ofer Shezaf <ofer at shezaf.com> wrote:
> I know who is WAFEC target audience, however I wonder what would a 
> paid workshop on WAFEC include.

I suspect it would be similar to being listed at
https://www.owasp.org/index.php/OWASP_Related_Commercial_Services i.e.
WASC would accredit NSS, ICSA, etc once they have attended the workshop.

Another idea I just thought of would be to evaluate (as an example)
https://www.ironbee.com/ against WAFEC with the intended audience being
those who have no experience with (as an example) https://www.ironbee.com/
hence they learn about both WAFEC and (as an
example) https://www.ironbee.com/ in the workshop.

Christian Heinrich


More information about the wasc-wafec mailing list