[WASC-WAFEC] Annexure or Supplement Proposed by F5

Christian Heinrich christian.heinrich at cmlh.id.au
Mon Oct 15 02:18:40 EDT 2012


I just wanted to let everyone know that I after some offline
"argy-bargy" :) with F5 in September to define the requirement as to
what an end user would be seeking from WAFEC that I believe there
would be some value in their (F5) suggestion (discussed within the
"[WASC-WAFEC] What should we change in WAFEC 2.0?" thread) with the
following caveats:

1. F5 would have to publish their list and therefore their IP to the
mailing list were I will confirm if that is either a) the list that I
also reviewed or b) note the differences (it might have been updated
since September).  I would like to highlight that F5 did not
requirement me to sign an NDA so this requirement, i.e. publication to
this mailing list, was specified by me (not F5).

2. The list could be divided into two sections, those entries that are
related to security and therefore WAFEC and those that aren't which
could be recorded in an annexure or supplement to the next release of
WAFEC (v2?).  The roadmap would be to integrate this supplement or
annexure into the release following the next release of WAFEC (v3?) to
ease the transition of a major change of WAFEC.

3. It should be endorsed by the various testing labs, e.g.
https://www.icsalabs.com/, http://www.nsslabs.com/, etc, so that other
WAF vendors do not claim that the results are skewed for F5.   From my
own viewpoint as an end user I don't believe this to be case but I
want to be as fair as possible to other WAF vendors (within reason).

I also would like to thank both Kenneth and Ido from F5 and look
forward to the publication of their list for discussion.

On Tue, Jun 26, 2012 at 6:46 AM, Kenneth Salchow <k.salchow at f5.com> wrote:
> Sounds like a reasonable, well-founded plan.
> KJ (Ken) Salchow, Jr. | Program Manager, Technical Certification
> D 651.423.1133
> M 612.868.1258
> P 206.272.5555
> F 206.272.5555
> www.f5.com
> -----Original Message-----
> From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au]
> Sent: Tuesday, June 19, 2012 4:52 PM
> To: Kenneth Salchow
> Cc: Alexander Meisel; wasc-wafec at lists.webappsec.org
> Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0?
> Ken,
> My recommendation would be to produce a high level draft of customer requirements of items that complement a WAF and then have this endorsed by end user(s) for inclusion or; as a supplement to WAFEC.
> On Wed, Jun 20, 2012 at 3:08 AM, Kenneth Salchow <k.salchow at f5.com> wrote:
>> I'm not sure what you are asking for Christian ... are you looking for customer references that state that customers have other solutions (SSO, SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF?  I kind of thought that we could all agree that customers weren't installing WAF devices all by themselves; that would be kind of simplistic if you ask me.
>> Further, yes, I do think we should mention all the regional certifications related to power consumption or other implementation issues.  As a customer (and while I'm not one now ... I was one once) those are ALL important things to me.  Why would I bother to investigate a solution that I would not be able to actually deploy because it doesn't meet the requirements of my environment?
>> However, if everyone thinks it is of no value to customers to know this kind of information ... then that's fine by me.  I just personally think you are doing a disservice to the end customer to simply dismiss these items.  Today's networks are far too complex to simply ignore how devices interact with each other.

Christian Heinrich


More information about the wasc-wafec mailing list