[WASC-WAFEC] SANS CSIS 20 Critical Security Controls

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Sep 19 04:30:56 EDT 2012

WAF are measured in

Control 6 Sensors, Measurement, and Scoring
Sensor: Web Application Firewall (WAF)
Measurement: Verify that WAF is installed between applications and
users. Products such as F5 Application Security Manager, ModSecurity,
Art of Defence Hyperguard, and Trustwave WebDefend are recommended.
Score: Automated tool/process verifies: WAF is installed and
functioning: 50 points. WAF configuration covers OWASP top 10: 20
points. WAF configuration defends against top 25 programming errors:
30 points.

Sensor: Web application firewall
Measurement: Central logging tool shows evidence that logs are being
collected from WAF.
Score: Automated tool/process periodically verifies that WAF is
generating logs into the security event manager or similar: 100
points. Failure to identify log entries = 0.


Aside from the signficant overlap between the
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and
http://cwe.mitre.org/top25/ of their first measurement, I believe we
should reference "SANS CSIS 20 Critical Security Controls" in WAFEC?
It might also be possible to alter their measurement considering their
period to comment on the next release v4 is 15th October, 2012.

Christian Heinrich


More information about the wasc-wafec mailing list