[WASC-WAFEC] WASC/OWASP Web, Application Firewall Evaluation Criteria at AppSec EU2013

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Nov 16 23:25:03 EST 2012


On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> To the point:
> * I think that your idea about creating a workshop based on a test case of
> evaluating an open source WAF based on WAFEC is a good one. I would choose
> ModSecurity as it would be of interest to more people. As mentioned by
> Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
> individual initiative. The closest we can get is creating the training
> materials. If there is a volunteer to do so, I am willing to do include
> creating such training material it in the project scope.

I believe selecting ModSecurity as the sole example is too much of a
risk to WAFEC based on the continued corrupt conduct of Tom Brennan
(Trustwave and OWASP Board) as demonstrated within

That stated and based on your long association with ModSecurity with
Breach i.e.  https://www.trustwave.com/pressReleases.php?n=062210
there would be some value.  Therefore, I believe we should open this
to other Open Source WAF examples, such as https://www.ironbee.com/,
etc to make it fair to other open source vendors.

On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> * As to certifying test labs to do WAFEC evaluation: I think we should
> socialize WAFEC  with them to use it as  a reference is their work. Actual
> certification is complex, prone to create problems (legal comes to mind) and
> would probably not be endorsed by ICSA and NSS unless we make WAFEC
> ubiquitous. OWASP did not progress in this respect in any project as far as
> I know even though the issue is raised from time to time. To sum up: this is
> not something we ready for.

I agree with the above. Ironically, the creator of their (OWASP)
Commercial Registry was also involved with Common Criteria and he left
the project and OWASP due to continued conflict with Dinis Cruz, who
continues to make hypocritical statements about OWASP to this day.

I would prefer that our roadmap included socialising with ICSA, NSS,
etc for this upcoming release (v2) and the next release (v3) it is an
endorsed standard.  Obviously ICSA, NSS, etc could advise on what is
required and possibly sponsor WAFEC's delivery on this second point.

Christian Heinrich


More information about the wasc-wafec mailing list