[WASC-WAFEC] WAFEC Update and CFV

Tony Turner tony.turner at owasp.org
Wed Jul 29 22:04:21 EDT 2015


Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and
we can discuss the project. So far I have not received any responses on
that other thread other than direct replies of encouragement, but no
relevant or useful dialogue. I'll update the group if that changes as it's
very relevant for planned future WAFEC activities. Thanks.

-Tony Turner
Tony,

As some of us won't be attending AppSecUSA, can we discuss this proposal
next Thursday (6 August) which according to
https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0
we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies
received for
http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner at owasp.org> wrote:

> Hello all, we are looking for volunteers for the next revision of WAFEC. I
> intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
> discuss next steps for the project including a revised roadmap, document
> outline and specific discussion points evaluation approach. We hope to
> invigorate interest in the project there, but I wanted to reach out to the
> existing list first (this will remain the official mailing list for WAFEC
> activities) and ask that you let me know if you have skills in any of the
> following areas and have an interest in being an active participant:
>
>    - Web App Pentesters experienced with WAF Bypasses
>    - WAF Implementers
>    - WAF Developers
>    - WAF Vendor Liaisons
>    - Metrics and standardization professionals
>    - RFP writers
>    - Copy edit ninjas
>    - Graphics designer
>    - Previous WAFEC contributors
>
> You may see some changes in the next few weeks with regards to document
> location (plan to use Google docs as a collaboration platform, we apologize
> to any international contributors that cannot access, please contact me
> directly if you have concerns), project pages, document structure as well
> as the actual methodology for evaluation. I pretty much despise pbworks
> (have lots of experience with it as the Security B-Sides community also
> utilizes and I run the Orlando conference) so you may see some content
> migrate to the OWASP page at
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
> but I will try to mirror or link as appropriate.
>
> Currently I intend to keep the WASC-TC driven classification based
> evaluations the same (if not expanded) but do want to address how we
> evaluate a WAF control as properly mitigating and to what degree. WAF
> technology has matured in the last few years and we will definitely be
> updating the security mechanisms appropriately. Furthermore, other products
> that are WAF-like have entered the space so we will be sure to make those
> distinctions as well.
>
> I really want to see more granularity and flexibility here for individual
> consumers of WAFEC. One of the objectives here is the creation of a control
> enumeration framework specific to WAF, that may eventually spawn it's own
> unique project. We will also be constructing this as a modular framework
> with the understanding that not all WAF use cases are the same, and
> associated requirements may deviate dramatically based on design
> specifications. You can view the current roadmap at
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
> but I would expect this to be further refined after the September workshop.
>
> If you have further concerns, suggestions or wish to volunteer your time,
> please feel free to reach out to me. Thanks!
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
>


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20150729/f8efb935/attachment-0003.html>


More information about the wasc-wafec mailing list