[WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality

Paul Scott paul.scott at owasp.org
Tue Jan 15 02:06:04 EST 2013


WAFEC contributors,

I'd like to start by saying great work. I have some feedback on the
supporting functionality section that is published on the wiki. Please
forgive me if I have misunderstood the purpose of a specific section.

Regarding 5.1.2.A, I think the story of central management is becoming
increasingly relevant. The evaluation would benefit from expanding on this.
In addition to central viewing/searching of events and central policy
management (templates, mirroring, tuning), we will need features like
central config management (backup, restore), logging, correlation, and
alerting.

I haven't seen reporting mentioned. Would it be relevant to mention it in
5.1.2.C?

5.2.C, Is the automated backup to a central location? can the backed up
configuration also be restored?

Regarding the 5.2.D, When you speak about a system restart what system are
you referring to? This could be an appliance or an application. I think the
spirit of this is to find out what configuration changes can cause a
protected site to become unavailable. Is that accurate? Maybe this section
should refocus on this impact.

5.2.E, config synchronization between appliances or instances is an
important capability even if centralized configuration management is
available.
*
*5.4.1.B, I think Audit Logging, evaluation criteria should favor remote
logging or central logging when we're talking about where to store logs.
Also, supporting a feature to mask sensitive data within event logs is a
nice to prevent you from falling out of compliance by storing clear text
CC#s in the logs.

5.4.1.C, Does Enterprise Directory Integration fit the spirit of Secure
Mangement section? I know there was some discussion about the relevance of
single sign on. This seems similar.**

Please consider this feedback,

P.Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20130115/724b45f7/attachment-0003.html>


More information about the wasc-wafec mailing list