[WASC-WAFEC] WAFEC Update and CFV

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Jul 29 20:38:29 EDT 2015


Tony,

As some of us won't be attending AppSecUSA, can we discuss this proposal
next Thursday (6 August) which according to
https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0
we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies
received for
http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner at owasp.org> wrote:

> Hello all, we are looking for volunteers for the next revision of WAFEC. I
> intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
> discuss next steps for the project including a revised roadmap, document
> outline and specific discussion points evaluation approach. We hope to
> invigorate interest in the project there, but I wanted to reach out to the
> existing list first (this will remain the official mailing list for WAFEC
> activities) and ask that you let me know if you have skills in any of the
> following areas and have an interest in being an active participant:
>
>    - Web App Pentesters experienced with WAF Bypasses
>    - WAF Implementers
>    - WAF Developers
>    - WAF Vendor Liaisons
>    - Metrics and standardization professionals
>    - RFP writers
>    - Copy edit ninjas
>    - Graphics designer
>    - Previous WAFEC contributors
>
> You may see some changes in the next few weeks with regards to document
> location (plan to use Google docs as a collaboration platform, we apologize
> to any international contributors that cannot access, please contact me
> directly if you have concerns), project pages, document structure as well
> as the actual methodology for evaluation. I pretty much despise pbworks
> (have lots of experience with it as the Security B-Sides community also
> utilizes and I run the Orlando conference) so you may see some content
> migrate to the OWASP page at
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
> but I will try to mirror or link as appropriate.
>
> Currently I intend to keep the WASC-TC driven classification based
> evaluations the same (if not expanded) but do want to address how we
> evaluate a WAF control as properly mitigating and to what degree. WAF
> technology has matured in the last few years and we will definitely be
> updating the security mechanisms appropriately. Furthermore, other products
> that are WAF-like have entered the space so we will be sure to make those
> distinctions as well.
>
> I really want to see more granularity and flexibility here for individual
> consumers of WAFEC. One of the objectives here is the creation of a control
> enumeration framework specific to WAF, that may eventually spawn it's own
> unique project. We will also be constructing this as a modular framework
> with the understanding that not all WAF use cases are the same, and
> associated requirements may deviate dramatically based on design
> specifications. You can view the current roadmap at
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
> but I would expect this to be further refined after the September workshop.
>
> If you have further concerns, suggestions or wish to volunteer your time,
> please feel free to reach out to me. Thanks!
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
>


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20150730/756d8ea0/attachment-0003.html>


More information about the wasc-wafec mailing list