[WASC-WAFEC] AWS WAF
tony.turner at owasp.org
Sat Oct 10 14:10:50 EDT 2015
Thanks Christian(s). It occurs to me that there is little difference
between a set of binary questions that produce a score and a graduated
score that is produced by using the well defined criteria I mentioned. I'm
fine with keeping it binary, and expanding the criteria as it makes sense
to do so.
That being said, I'm very interested to hear from any metrics nerds on the
list as we could use a good statistician on the core team.
On Oct 10, 2015 1:42 AM, "Christian Folini" <
christian.folini at time-machine.ch> wrote:
> Hi there,
> On Fri, Oct 09, 2015 at 09:57:45PM -0400, Tony Turner wrote:
> > Secondly, yes/no answers are very easy to game unless we get very very
> > specific with the questions, far more specific than the previous version
> > the Response Matrix. For example "Does the WAF support signature based
> > detection?" is a terrible binary question. There may be varying degrees
> > how comprehensive default signatures are, how easy to create new, modify
> > existing, differences in regex that can impact performance, denial of
> > service conditions for overly greedy regex, etc.
> > I do not intend to provide a graduated scoring mechanism unless those
> > scores can be clearly defined.
> This is extremely hard. I think you would be better off by
> improving the binary questions / breaking them down to be more
> specific than by defining the varying degrees which should be measured.
> In a competitive and somewhat blurry environment as WAFs, you seem
> to be opening the door for all sorts of meta-discussions.
> Christian Folini
> If liberty means anything at all, it means the right to tell people
> what they do not want to hear.
> -- George Orwell
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wasc-wafec