[WASC-WAFEC] AWS WAF

Christian Folini christian.folini at time-machine.ch
Sun Oct 11 02:43:13 EDT 2015


On Sat, Oct 10, 2015 at 02:10:50PM -0400, Tony Turner wrote:
> Thanks Christian(s). It occurs to me that there is little difference
> between a set of binary questions that produce a score and a graduated
> score that is produced by using the well defined criteria I mentioned. I'm
> fine with keeping it binary, and expanding the criteria as it makes sense
> to do so.

Yes, that makes a lot of sense. The result would be the same.

> That being said, I'm very interested to hear from any metrics nerds on the
> list as we could use a good statistician on the core team.

I'm sure you could. 

Good to see this project moving forward again.

Best,

Christian Folini

> 
> -Tony
> On Oct 10, 2015 1:42 AM, "Christian Folini" <
> christian.folini at time-machine.ch> wrote:
> 
> > Hi there,
> >
> > On Fri, Oct 09, 2015 at 09:57:45PM -0400, Tony Turner wrote:
> > > Secondly, yes/no answers are very easy to game unless we get very very
> > > specific with the questions, far more specific than the previous version
> > of
> > > the Response Matrix. For example "Does the WAF support signature based
> > > detection?" is a terrible binary question. There may be varying degrees
> > of
> > > how comprehensive default signatures are, how easy to create new, modify
> > > existing, differences in regex that can impact performance, denial of
> > > service conditions for overly greedy regex, etc.
> > >
> > > I do not intend to provide a graduated scoring mechanism unless those
> > > scores can be clearly defined.
> >
> > This is extremely hard. I think you would be better off by
> > improving the binary questions / breaking them down to be more
> > specific than by defining the varying degrees which should be measured.
> >
> > In a competitive and somewhat blurry environment as WAFs, you seem
> > to be opening the door for all sorts of meta-discussions.
> >
> > Ahoj,
> >
> > Christian Folini
> >
> >
> > --
> > If liberty means anything at all, it means the right to tell people
> > what they do not want to hear.
> > -- George Orwell
> >
> > _______________________________________________
> > wasc-wafec mailing list
> > wasc-wafec at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
> >

-- 
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:christian.folini at netnea.com (Business)
mailto:christian.folini at time-machine.ch (Private)
http://www.christian-folini.ch





More information about the wasc-wafec mailing list