[WASC-WAFEC] AWS WAF

Christian Folini christian.folini at time-machine.ch
Sat Oct 10 01:42:14 EDT 2015


Hi there,

On Fri, Oct 09, 2015 at 09:57:45PM -0400, Tony Turner wrote:
> Secondly, yes/no answers are very easy to game unless we get very very
> specific with the questions, far more specific than the previous version of
> the Response Matrix. For example "Does the WAF support signature based
> detection?" is a terrible binary question. There may be varying degrees of
> how comprehensive default signatures are, how easy to create new, modify
> existing, differences in regex that can impact performance, denial of
> service conditions for overly greedy regex, etc.
> 
> I do not intend to provide a graduated scoring mechanism unless those
> scores can be clearly defined.

This is extremely hard. I think you would be better off by
improving the binary questions / breaking them down to be more
specific than by defining the varying degrees which should be measured.

In a competitive and somewhat blurry environment as WAFs, you seem
to be opening the door for all sorts of meta-discussions.

Ahoj,

Christian Folini


-- 
If liberty means anything at all, it means the right to tell people
what they do not want to hear.
-- George Orwell




More information about the wasc-wafec mailing list