[WASC-WAFEC] Imperva WTF Tool

Christian Strache cs at strache-it.de
Sat Nov 21 06:05:34 EST 2015

Dear Tony,
dear all,

independently of the other discussions about vendors and OWASP, I'm 
wondering what benefits the WAFEC sees in choosing such a tool from a 

As far as I know the WTF tool, it is designed to show that the Imperva 
WAF default setup does 0 % false positives and 0% false negatives - and 
I guess we all know real world examples challenging those results.
Neither the technical details of the test, nor the evaluation criteria 
seems to be comprehensive or balanced.

The tool runs a number of requests and evaluates, whether the WAF 
responds or the actual server. This functionality can be reproduced in a 
few lines of code.

All details, like the test patterns and the rating scheme, must be 
freshly created for the WAFEC purpose anyway.

Maybe it would be easier to do a fresh start with the testing tool 
instead, including criteria like the system background  (kind of db, 
language, application server, ..) as well as non-pattern-based features 
(tls,...) and a re-test/comparison function for default and customized 

Kind regards,
Christian Strache

Am 20.11.2015 um 15:40 schrieb Tony Turner:
> In the interest of full disclosure I wanted to announce to the list 
> that Mark Kraynak and Amichai Shulman of Imperva have provided us with 
> the source code for the Imperva WTF WAF testing tool. Out intent is 
> not to rebrand as a WAFEC tool, but to utilize as guide for the 
> development of a separate independent tool. It will likely be a very 
> different tool and I want to reiterate that we are not intending to 
> re-release any of their work effort without significant rework or at 
> the very least, a comprehensive review. At this time I don't know 
> exactly what that will look like as we have not gathered requirements 
> yet.
> Some of the logic and structure may remain, but I wanted to make sure 
> there was transparency around this resource for WAFEC. If there are 
> those on this list who have an interest in being actively involved in 
> the development of this new toolset or have specific requirements you 
> would like the tool to address, please shoot me an email and I'll get 
> you added to the development team, or at the very least get your 
> requests added to the list. If you are a vendor, and have specific 
> concerns about this approach, please let me know. I'd love to get your 
> feedback.
> I don't intend to ramp up dev efforts for a few more months, at least 
> not until the actual criteria are more well defined for the next 
> version but I wanted to get the ball rolling so we can start gathering 
> requirements and head off any concerns in advance of actual dev work 
> starting. Lastly, we will not release any tool publically as an 
> official WAFEC deliverable until all members of the vendor subgroup 
> have had a chance to review it.
> If you are a WAF vendor and wish to be added to the vendor subgroup, 
> please shoot me an email with your contact information and role. We 
> are not excluding any vendor from this process.
> As of this time, the following vendors are represented on our vendor 
> subgroup:
>   * Verizon
>   * Radware
>   * Ergon
>   * Cdnetworks
>   * Imperva
>   * F5
>   * Sentrix
> -- 
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org <mailto:tony.turner at owasp.org>
> https://www.owasp.org/index.php/Orlando
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20151121/9aa46a3d/attachment-0003.html>

More information about the wasc-wafec mailing list