[WASC-WAFEC] Imperva WTF Tool

Tony Turner tony.turner at owasp.org
Sat Nov 21 11:09:49 EST 2015


We are not "choosing" the Imperva tool. We are researching existing tools.
I started with what I knew, and would be happy to look at any others that
might be worthwhile. It's most likely that yes, we will probably create
something new but the entire purpose of this original email was to let the
community know we'd been in communication with Imperva on the topic, not
that we had selected their tool. We most certainly have not.
On Nov 21, 2015 6:05 AM, "Christian Strache" <cs at strache-it.de> wrote:

> Dear Tony,
> dear all,
>
> independently of the other discussions about vendors and OWASP, I'm
> wondering what benefits the WAFEC sees in choosing such a tool from a
> vendor.
>
> As far as I know the WTF tool, it is designed to show that the Imperva WAF
> default setup does 0 % false positives and 0% false negatives - and I guess
> we all know real world examples challenging those results.
> Neither the technical details of the test, nor the evaluation criteria
> seems to be comprehensive or balanced.
>
> The tool runs a number of requests and evaluates, whether the WAF responds
> or the actual server. This functionality can be reproduced in a few lines
> of code.
>
> All details, like the test patterns and the rating scheme, must be freshly
> created for the WAFEC purpose anyway.
>
> Maybe it would be easier to do a fresh start with the testing tool
> instead, including criteria like the system background  (kind of db,
> language, application server, ..) as well as non-pattern-based features
> (tls,...) and a re-test/comparison function for default and customized
> settings.
>
> Kind regards,
> Christian Strache
>
> Am 20.11.2015 um 15:40 schrieb Tony Turner:
>
> In the interest of full disclosure I wanted to announce to the list that
> Mark Kraynak and Amichai Shulman of Imperva have provided us with the
> source code for the Imperva WTF WAF testing tool. Out intent is not to
> rebrand as a WAFEC tool, but to utilize as guide for the development of a
> separate independent tool. It will likely be a very different tool and I
> want to reiterate that we are not intending to re-release any of their work
> effort without significant rework or at the very least, a comprehensive
> review. At this time I don't know exactly what that will look like as we
> have not gathered requirements yet.
>
> Some of the logic and structure may remain, but I wanted to make sure
> there was transparency around this resource for WAFEC. If there are those
> on this list who have an interest in being actively involved in the
> development of this new toolset or have specific requirements you would
> like the tool to address, please shoot me an email and I'll get you added
> to the development team, or at the very least get your requests added to
> the list. If you are a vendor, and have specific concerns about this
> approach, please let me know. I'd love to get your feedback.
>
> I don't intend to ramp up dev efforts for a few more months, at least not
> until the actual criteria are more well defined for the next version but I
> wanted to get the ball rolling so we can start gathering requirements and
> head off any concerns in advance of actual dev work starting. Lastly, we
> will not release any tool publically as an official WAFEC deliverable until
> all members of the vendor subgroup have had a chance to review it.
>
> If you are a WAF vendor and wish to be added to the vendor subgroup,
> please shoot me an email with your contact information and role. We are not
> excluding any vendor from this process.
>
> As of this time, the following vendors are represented on our vendor
> subgroup:
>
>    - Verizon
>    - Radware
>    - Ergon
>    - Cdnetworks
>    - Imperva
>    - F5
>    - Sentrix
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
>
> _______________________________________________
> wasc-wafec mailing listwasc-wafec at lists.webappsec.orghttp://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/attachments/20151121/133bb290/attachment-0003.html>


More information about the wasc-wafec mailing list