<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle24
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle25
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle26
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:28579601;
        mso-list-type:hybrid;
        mso-list-template-ids:841373878 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:45.0pt;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:81.0pt;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:117.0pt;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:153.0pt;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:189.0pt;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:225.0pt;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:261.0pt;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:297.0pt;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:333.0pt;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:866790571;
        mso-list-type:hybrid;
        mso-list-template-ids:-72042078 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:1710716281;
        mso-list-type:hybrid;
        mso-list-template-ids:1493842418 67698703 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3
        {mso-list-id:1778209653;
        mso-list-type:hybrid;
        mso-list-template-ids:-345471772 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>speaking on behalf of Citrix, I actually agree with Mark.  I’d like our WAF to be evaluated on it’s own merits.  Yes, it integrates into the NetScaler ADC, but that shouldn’t in the WAFEC.   The WAFEC should be criteria to choose a WAF, not an entire ecosystem, as most WAF customers already have an ADC infrastructure of some sort.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'> Yes, cross site request forgery, etc (and many other threats) would be helpful.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>From a use case perspective, it would be helpful to distinguish different products – proxying vs SPAN port vs transparent, and the level of blocking – RSTs, buffering and proxying the request, or just logging/alerting, etc.  (all valid deployment models going towards different goals) <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>I’d like to see the list categorized into security features, logging/alerting, etc.  This would help users of the list identify what is important and not important (which will vary quite a bit between use cases) <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Agreed.  It’s up to the consumer to decide whether or not to fix code, and not the job of the WAFEC to decide that.  <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo7'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Agreed with Mark.  The more we can make this a list that consumers can use to decide which solution to use, the more it will be used. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>--<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Kit Wetzler<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Sr. Manager, Sales Engineering - West Region<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Citrix Systems, Inc<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>408.892.1424<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><a href="mailto:kit.wetzler@citrix.com">kit.wetzler@citrix.com</a></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> wasc-wafec-bounces@lists.webappsec.org [mailto:wasc-wafec-bounces@lists.webappsec.org] <b>On Behalf Of </b>Mark Kraynak<br><b>Sent:</b> Wednesday, June 06, 2012 1:54 PM<br><b>To:</b> Ofer Shezaf; wasc-wafec@lists.webappsec.org<br><b>Subject:</b> Re: [WASC-WAFEC] What should we change in WAFEC 2.0?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>My thoughts are:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>1 – I agree with Ofer to remove the non WAF related criteria.  I realize this will come down to the camp of those that focus on those things (e.g., Ido&F5) and those that don’t (e.g., me&Imperva).  Perhaps a compromise would be to have a section for “related capabilities” outside of the main flow.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>2 – we need to have some sort of update on threats.  This normally turns into a complicated discussion of the ontology of threat classification.  Is there a way to avoid that?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>3 – I think the issue that came up here was that the usage of the document and the content of it were at odds.  In particular, when used as a template evaluation tool without any processing (which it often is), it results in conflicting “requirements” to evaluate against, especially with regard to deployment mode. I’d suggest taking a middle ground and keeping the deployment modes section, but changing the nature of the content to better explain and lend itself to a non-conflicting evaluation, but also to include customer goals / use cases as a section.  <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I also think that the use cases section could help us solve #2.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>4 – my opinion would be to keep a flat list, but to provide a tool that let’s the customer adjust importance based on their needs.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>5 – I would leave this out of the criteria (since WAFs don’t fix code it doesn’t make sense to have fixing code as an evaluation element).  IMO, this is a better topic for a different kind of forum…this tool is supposed to be a tool to evaluate WAFs.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>6 – I think really orienting the criteria to be useable framework for an actual evaluation will make this simpler.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:wasc-wafec-bounces@lists.webappsec.org">wasc-wafec-bounces@lists.webappsec.org</a> <a href="mailto:[mailto:wasc-wafec-bounces@lists.webappsec.org]">[mailto:wasc-wafec-bounces@lists.webappsec.org]</a> <b>On Behalf Of </b>Ofer Shezaf<br><b>Sent:</b> Wednesday, June 06, 2012 4:39 AM<br><b>To:</b> <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br><b>Subject:</b> [WASC-WAFEC] What should we change in WAFEC 2.0?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Since you are all very quiet, I understand that WAFEC 2 will solve my pain and needs only </span><span style='font-family:Wingdings;color:#1F497D'>J</span><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>To that end, let me start with summarizing issues raised in the previous discussions on the mailing list (which I actually went and read…).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>No specific order intended. This is what you wrote, though I must say I think it captures well the issues I am aware of and that generally speaking I agree with most.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>Remove non WAF related criteria</span></u></b><span style='color:#1F497D'> for example around application delivery. <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>While integrating a WAF with other solutions is compelling to the client, it is not directly about WAFs and is also unbounded. This does present the challenge deciding what is relevant to a WAF in border cases such as an SSO functionality <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>Update the list of threats covered</span></u></b><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>Focus on customer use cases rather than how a WAF operates</span></u></b><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>I think there was some hidden controversy here as I read opinions to focus on “technical” which I take to be opposite. I personally very much agree with this comment. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>Not just a laundry list</span></u></b><span style='color:#1F497D'> – <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Classify the importance of requirements. I believe that a minimal approach specifying several levels, for example: “mandatory”, “important”, “nice to have” and “site specific”.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Another complementing idea is to classify requirements as “security”/”functionality”/”performance” etc. letting the user determine if he prefers security over functionality etc.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>This would also provide the minimum requirements for a solution to be a WAF – the “mandatory” requirements.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Regarding site specific requirements, it should be easy to the user to determine his own requirements, for example using a decision tree.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><b><span style='color:#1F497D'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'>       </span></span></span></b><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>The “ethical” questions:<o:p></o:p></span></u></b></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>How to address alternative solutions such as fixing the code?<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><b><u><span style='color:#1F497D'>Outreach</span></u></b><span style='color:#1F497D'> – beyond the document<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Approaching NSS, ICSA and the likes to use WAFEC<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Release process, PR etc.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Managing a list of public references to WAFEC<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Promote actual evaluations data sharing - No more spreadsheets.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo2'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Specific notes on V1, I have collected for further work.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>A major question raised with opinions on both sides was a re-write vs. an update. I do think that understanding the requirements should direct that. Some issues raised which directly relate to that are:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l3 level1 lfo4'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Is the order of sections correct?<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l3 level1 lfo4'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span dir=LTR></span><span style='color:#1F497D'>Incorporating the German OWASP chapter work on the same subject: </span><span style='color:black'><a href="http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls">http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls</a></span><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D'>~ Ofer<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ofer Shezaf [<a href="mailto:ofer@shezaf.com">mailto:ofer@shezaf.com</a>] <br><b>Sent:</b> Thursday, May 31, 2012 1:45 PM<br><b>To:</b> <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br><b>Subject:</b> WAFEC 2.0 phase 1: exploratory discussion (deadline: June 14th)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks to all who volunteered to contribute to this project going forward (and those who didn’t – you still can!)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I would like to boot up the project with a short exploratory phase identifying why we need a new release and therefore what we need in it.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>To guide the discussion, I think that the reasons we need v2 fall into two categories:<o:p></o:p></p><p class=MsoNormal style='margin-left:45.0pt;text-indent:-.25in;mso-list:l0 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span dir=LTR></span>Things that have changed - new (or obsolete) deployment modes, techniques, attacks, or even something new altogether.<span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal style='margin-left:45.0pt;text-indent:-.25in;mso-list:l0 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span dir=LTR></span>Issues we discovered in WAFEC over the years. Some issues I encountered are identifying specific requirements and sorting out what’s important and what’s not.<span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal style='vertical-align:middle'><o:p> </o:p></p><p class=MsoNormal style='vertical-align:middle'>From this discussion I hope to derive a mission statement, a tasks list and therefore a schedule for the V2 project. All those will be the next phase. <o:p></o:p></p><p class=MsoNormal style='vertical-align:middle'><o:p> </o:p></p><p class=MsoNormal style='vertical-align:middle'><b>I would give this phase two weeks (until June 14<sup>th</sup>), however I am on vacation from the 9<sup>th</sup>, so would accept input but not join the discussion on the last few days.<o:p></o:p></b></p><p class=MsoNormal style='vertical-align:middle'><b><o:p> </o:p></b></p><p class=MsoNormal style='vertical-align:middle'>I would also want to thank Thorsten and Mirko for leading the project until now. I do hope that I will get from you all more cooperation than they did! I would also want to extend a personal apology to Thorsten and Mirko as the leader switch was not well coordinated. Thorsten and I discussed this over the last week and he gracefully agreed to let me give a try to leading this project forward.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you all!<o:p></o:p></p><p class=MsoNormal>~ Ofer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ofer Shezaf<o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt'>[+972-54-4431119; <a href="mailto:ofer@shezaf.com">ofer@shezaf.com</a>, <a href="http://www.shezaf.com">www.shezaf.com</a>]<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>