[WASC-WAFEC] WAFEC Update and CFV

Tony Turner tony.turner at owasp.org
Wed Jul 29 15:13:59 EDT 2015


Hello all, we are looking for volunteers for the next revision of WAFEC. I
intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
discuss next steps for the project including a revised roadmap, document
outline and specific discussion points evaluation approach. We hope to
invigorate interest in the project there, but I wanted to reach out to the
existing list first (this will remain the official mailing list for WAFEC
activities) and ask that you let me know if you have skills in any of the
following areas and have an interest in being an active participant:

   - Web App Pentesters experienced with WAF Bypasses
   - WAF Implementers
   - WAF Developers
   - WAF Vendor Liaisons
   - Metrics and standardization professionals
   - RFP writers
   - Copy edit ninjas
   - Graphics designer
   - Previous WAFEC contributors

You may see some changes in the next few weeks with regards to document
location (plan to use Google docs as a collaboration platform, we apologize
to any international contributors that cannot access, please contact me
directly if you have concerns), project pages, document structure as well
as the actual methodology for evaluation. I pretty much despise pbworks
(have lots of experience with it as the Security B-Sides community also
utilizes and I run the Orlando conference) so you may see some content
migrate to the OWASP page at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based
evaluations the same (if not expanded) but do want to address how we
evaluate a WAF control as properly mitigating and to what degree. WAF
technology has matured in the last few years and we will definitely be
updating the security mechanisms appropriately. Furthermore, other products
that are WAF-like have entered the space so we will be sure to make those
distinctions as well.

I really want to see more granularity and flexibility here for individual
consumers of WAFEC. One of the objectives here is the creation of a control
enumeration framework specific to WAF, that may eventually spawn it's own
unique project. We will also be constructing this as a modular framework
with the understanding that not all WAF use cases are the same, and
associated requirements may deviate dramatically based on design
specifications. You can view the current roadmap at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time,
please feel free to reach out to me. Thanks!

-- 
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org
https://www.owasp.org/index.php/Orlando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20150729/c9df7a37/attachment-0003.html>


More information about the wasc-wafec mailing list