[WASC-WAFEC] SANS CSIS 20 Critical Security Controls
christian.heinrich at cmlh.id.au
Wed Sep 19 04:30:56 EDT 2012
WAF are measured in
Control 6 Sensors, Measurement, and Scoring
Sensor: Web Application Firewall (WAF)
Measurement: Verify that WAF is installed between applications and
users. Products such as F5 Application Security Manager, ModSecurity,
Art of Defence Hyperguard, and Trustwave WebDefend are recommended.
Score: Automated tool/process verifies: WAF is installed and
functioning: 50 points. WAF configuration covers OWASP top 10: 20
points. WAF configuration defends against top 25 programming errors:
Sensor: Web application firewall
Measurement: Central logging tool shows evidence that logs are being
collected from WAF.
Score: Automated tool/process periodically verifies that WAF is
generating logs into the security event manager or similar: 100
points. Failure to identify log entries = 0.
Aside from the signficant overlap between the
http://cwe.mitre.org/top25/ of their first measurement, I believe we
should reference "SANS CSIS 20 Critical Security Controls" in WAFEC?
It might also be possible to alter their measurement considering their
period to comment on the next release v4 is 15th October, 2012.
More information about the wasc-wafec