Mark Kraynak mark at imperva.com
Wed Aug 5 15:02:33 EDT 2015

I’m not going to be at Black Hat or AppSecUSA, (which probably robs me of any street cred, but in my defense, I’ve got a child on the way very soon and need to stay in town for a while once she’s born).

I’m very encouraged to see this moving ahead.  I’d like to offer mine and Imperva’s help in whatever way seems apropriate.  In the past, I’ve been a contributor to WAFEC and written some of the sections of v1 as well as drafts for the v2 which never seemed to get off the ground. A few others at Imperva have done the same.  However, I think the sentiment on this thread (which I agree with) is that this should be led by end-users.  So it may mean the most apropos way to do this would be for me / others to review and provide commentary.

Also, somewhere along the way, there was a discussion of how to create an effective testing/benchmarking regime for WAFEC.  As it happens this is a subject near and dear to a few people here at Imperva.  We found ourselves struggling to show customers that testing for false negatives only (which is the default for many security testers) was really not enough to evaluate a WAF.  So we created a testing tool that allows a tester to test both false positives and false negatives.  This is software we wrote and released as a free tool, I’m very proud of the name which is the WAF Testing Framework or WTF for short.  It comes with a test suite that goes against WebGoat (not written by us), but the test suite can be fully customized with relatively easy scripting.  My intention all along for this tool was to find a home outside of Imperva for it so that the community could create a test suite that could rise above the hint of vendor influence.  If this group would be interested in taking a look and evaluating whether it could be the basis for a WAFEC testing tool, I’d be happy to contribute it and open source the underlying code.

Anyone that’s interested can download the tool here: https://www.imperva.com/lg/lgw.asp?pid=483 (Note: it requires a registration, but if you contact me directly I can have it sent to you without the lead gen hassle)

From: wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf Of Tony Turner
Sent: Wednesday, July 29, 2015 7:04 PM
To: Christian Heinrich
Cc: wasc-wafec at lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC Update and CFV

Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and we can discuss the project. So far I have not received any responses on that other thread other than direct replies of encouragement, but no relevant or useful dialogue. I'll update the group if that changes as it's very relevant for planned future WAFEC activities. Thanks.

-Tony Turner

As some of us won't be attending AppSecUSA, can we discuss this proposal next Thursday (6 August) which according to https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0 we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies received for http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner at owasp.org<mailto:tony.turner at owasp.org>> wrote:
Hello all, we are looking for volunteers for the next revision of WAFEC. I intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to discuss next steps for the project including a revised roadmap, document outline and specific discussion points evaluation approach. We hope to invigorate interest in the project there, but I wanted to reach out to the existing list first (this will remain the official mailing list for WAFEC activities) and ask that you let me know if you have skills in any of the following areas and have an interest in being an active participant:

  *   Web App Pentesters experienced with WAF Bypasses
  *   WAF Implementers
  *   WAF Developers
  *   WAF Vendor Liaisons
  *   Metrics and standardization professionals
  *   RFP writers
  *   Copy edit ninjas
  *   Graphics designer
  *   Previous WAFEC contributors
You may see some changes in the next few weeks with regards to document location (plan to use Google docs as a collaboration platform, we apologize to any international contributors that cannot access, please contact me directly if you have concerns), project pages, document structure as well as the actual methodology for evaluation. I pretty much despise pbworks (have lots of experience with it as the Security B-Sides community also utilizes and I run the Orlando conference) so you may see some content migrate to the OWASP page at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based evaluations the same (if not expanded) but do want to address how we evaluate a WAF control as properly mitigating and to what degree. WAF technology has matured in the last few years and we will definitely be updating the security mechanisms appropriately. Furthermore, other products that are WAF-like have entered the space so we will be sure to make those distinctions as well.

I really want to see more granularity and flexibility here for individual consumers of WAFEC. One of the objectives here is the creation of a control enumeration framework specific to WAF, that may eventually spawn it's own unique project. We will also be constructing this as a modular framework with the understanding that not all WAF use cases are the same, and associated requirements may deviate dramatically based on design specifications. You can view the current roadmap at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time, please feel free to reach out to me. Thanks!

Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org<mailto:tony.turner at owasp.org>

wasc-wafec mailing list
wasc-wafec at lists.webappsec.org<mailto:wasc-wafec at lists.webappsec.org>

Christian Heinrich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20150805/1a8a503f/attachment-0003.html>

More information about the wasc-wafec mailing list