[WASC-WAFEC] Annexure or Supplement Proposed by F5

Ofer Shezaf ofer at shezaf.com
Mon Oct 15 02:49:04 EDT 2012


I think that F5, like any other interested party (or actually anyone for
that matter), is welcomed to suggest specific criteria to WAFEC 2 and be
considered by the group. It would not be beneficial to the acceptance of
WAFEC if a large chunk (whether a chapter or an appendix) from s single
party, and an interested party at that.

To that end, I urge F5 to share their criteria with the list.

~ Ofer

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf
Of Christian Heinrich
Sent: Monday, October 15, 2012 8:19 AM
To: wasc-wafec at lists.webappsec.org
Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5


I just wanted to let everyone know that I after some offline "argy-bargy" :)
with F5 in September to define the requirement as to what an end user would
be seeking from WAFEC that I believe there would be some value in their (F5)
suggestion (discussed within the "[WASC-WAFEC] What should we change in
WAFEC 2.0?" thread) with the following caveats:

1. F5 would have to publish their list and therefore their IP to the mailing
list were I will confirm if that is either a) the list that I also reviewed
or b) note the differences (it might have been updated since September).  I
would like to highlight that F5 did not requirement me to sign an NDA so
this requirement, i.e. publication to this mailing list, was specified by me
(not F5).

2. The list could be divided into two sections, those entries that are
related to security and therefore WAFEC and those that aren't which could be
recorded in an annexure or supplement to the next release of WAFEC (v2?).
The roadmap would be to integrate this supplement or annexure into the
release following the next release of WAFEC (v3?) to ease the transition of
a major change of WAFEC.

3. It should be endorsed by the various testing labs, e.g.
https://www.icsalabs.com/, http://www.nsslabs.com/, etc, so that other
WAF vendors do not claim that the results are skewed for F5.   From my
own viewpoint as an end user I don't believe this to be case but I want to
be as fair as possible to other WAF vendors (within reason).

I also would like to thank both Kenneth and Ido from F5 and look forward to
the publication of their list for discussion.

On Tue, Jun 26, 2012 at 6:46 AM, Kenneth Salchow <k.salchow at f5.com> wrote:
> Sounds like a reasonable, well-founded plan.
> KJ (Ken) Salchow, Jr. | Program Manager, Technical Certification D 
> 651.423.1133 M 612.868.1258 P 206.272.5555 F 206.272.5555 www.f5.com
> -----Original Message-----
> From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au]
> Sent: Tuesday, June 19, 2012 4:52 PM
> To: Kenneth Salchow
> Cc: Alexander Meisel; wasc-wafec at lists.webappsec.org
> Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0?
> Ken,
> My recommendation would be to produce a high level draft of customer
requirements of items that complement a WAF and then have this endorsed by
end user(s) for inclusion or; as a supplement to WAFEC.
> On Wed, Jun 20, 2012 at 3:08 AM, Kenneth Salchow <k.salchow at f5.com> wrote:
>> I'm not sure what you are asking for Christian ... are you looking for
customer references that state that customers have other solutions (SSO,
SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF?  I
kind of thought that we could all agree that customers weren't installing
WAF devices all by themselves; that would be kind of simplistic if you ask
>> Further, yes, I do think we should mention all the regional
certifications related to power consumption or other implementation issues.
As a customer (and while I'm not one now ... I was one once) those are ALL
important things to me.  Why would I bother to investigate a solution that I
would not be able to actually deploy because it doesn't meet the
requirements of my environment?
>> However, if everyone thinks it is of no value to customers to know this
kind of information ... then that's fine by me.  I just personally think you
are doing a disservice to the end customer to simply dismiss these items.
Today's networks are far too complex to simply ignore how devices interact
with each other.

Christian Heinrich


wasc-wafec mailing list
wasc-wafec at lists.webappsec.org

More information about the wasc-wafec mailing list