<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle24
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle25
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle26
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle27
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:28579601;
        mso-list-type:hybrid;
        mso-list-template-ids:841373878 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:45.0pt;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:81.0pt;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:117.0pt;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:153.0pt;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:189.0pt;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:225.0pt;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:261.0pt;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:297.0pt;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:333.0pt;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:866790571;
        mso-list-type:hybrid;
        mso-list-template-ids:-72042078 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:1710716281;
        mso-list-type:hybrid;
        mso-list-template-ids:1493842418 67698703 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3
        {mso-list-id:1778209653;
        mso-list-type:hybrid;
        mso-list-template-ids:-345471772 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">On #1:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I think it is beneficial to at least make the ease with which a WAF *<b>does</b>* integrate with other solutions or a list of solutions that the WAF has documented integration with a criterion for a WAF.  No
 one is ever going to buy a WAF and deploy it by itself without anything else around it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">As a customer, I probably already have a number of other solutions and it would be extremely valuable for me to know if any given WAF innately integrates with those other solutions or has an easy, documented
 ability to do so.  I might also be looking at other solutions at the same time I am deploying a WAF and knowing what all my option are is also extremely valuable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">So … we don’t have to compare WAFs by saying “oh, we have SSL VPN and yours doesn’t” as that is not a specific WAF criterion, but it *<b>is</b>* very relevant and important to a customer who is evaluating these
 devices to know if the solution will integrate with their existing VPN or has options available to integrate with one down the road. (and I just picked SSL VPN off the top of my head, it could be SSO or whatever).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="3" cellpadding="0" width="531" style="width:318.75pt">
<tbody>
<tr>
<td colspan="5" style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">KJ (Ken) Salchow, Jr.</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"> | Program Manager, Technical Certification</span><span style="font-size:12.0pt;color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
<tr style="height:9.0pt">
<td width="105" style="width:63.0pt;padding:.75pt .75pt .75pt .75pt;height:9.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:9.0pt">
<b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#333333">D 651.423.1133</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="105" style="width:63.0pt;padding:.75pt .75pt .75pt .75pt;height:9.0pt">
<p class="MsoNormal" style="line-height:9.0pt"><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#333333">M 612.868.1258</span></b><span style="font-size:12.0pt;color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="105" style="width:63.0pt;padding:.75pt .75pt .75pt .75pt;height:9.0pt">
<p class="MsoNormal" style="line-height:9.0pt"><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#333333">P 206.272.5555</span></b><span style="font-size:12.0pt;color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="105" style="width:63.0pt;padding:.75pt .75pt .75pt .75pt;height:9.0pt">
<p class="MsoNormal" style="line-height:9.0pt"><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#333333">F 206.272.5555</span></b><span style="font-size:12.0pt;color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="86" style="width:51.75pt;padding:.75pt .75pt .75pt .75pt;height:9.0pt">
<p class="MsoNormal" style="line-height:9.0pt"><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#333333"><a href="http://www.f5.com/"><span style="color:#333333">www.f5.com</span></a><o:p></o:p></span></b></p>
</td>
</tr>
<tr style="height:51.75pt">
<td colspan="5" style="padding:.75pt .75pt .75pt .75pt;height:51.75pt">
<p class="MsoNormal"><span style="color:#1F497D"><img border="0" width="265" height="62" id="Picture_x0020_2" src="cid:image003.png@01CD449E.E061A6B0" alt="Description: Description: F5_Logo-TechCert_TM_042312sm"></span><span style="font-size:12.0pt;color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> wasc-wafec-bounces@lists.webappsec.org [mailto:wasc-wafec-bounces@lists.webappsec.org]
<b>On Behalf Of </b>Kit Wetzler<br>
<b>Sent:</b> Wednesday, June 06, 2012 4:10 PM<br>
<b>To:</b> wasc-wafec@lists.webappsec.org<br>
<b>Subject:</b> Re: [WASC-WAFEC] What should we change in WAFEC 2.0?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">speaking on behalf of Citrix, I actually agree with Mark.  I’d like our WAF to be evaluated on it’s own merits.  Yes, it integrates into the NetScaler ADC, but that shouldn’t in the WAFEC.   The WAFEC
 should be criteria to choose a WAF, not an entire ecosystem, as most WAF customers already have an ADC infrastructure of some sort.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D"> Yes, cross site request forgery, etc (and many other threats) would be helpful.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">From a use case perspective, it would be helpful to distinguish different products – proxying vs SPAN port vs transparent, and the level of blocking – RSTs, buffering and proxying the request, or just
 logging/alerting, etc.  (all valid deployment models going towards different goals)
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">I’d like to see the list categorized into security features, logging/alerting, etc.  This would help users of the list identify what is important and not important (which will vary quite a bit between
 use cases) <o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">Agreed.  It’s up to the consumer to decide whether or not to fix code, and not the job of the WAFEC to decide that. 
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">Agreed with Mark.  The more we can make this a list that consumers can use to decide which solution to use, the more it will be used.
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">--<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Kit Wetzler<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Sr. Manager, Sales Engineering - West Region<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Citrix Systems, Inc<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">408.892.1424<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><a href="mailto:kit.wetzler@citrix.com">kit.wetzler@citrix.com</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:wasc-wafec-bounces@lists.webappsec.org">wasc-wafec-bounces@lists.webappsec.org</a>
<a href="mailto:[mailto:wasc-wafec-bounces@lists.webappsec.org]">[mailto:wasc-wafec-bounces@lists.webappsec.org]</a>
<b>On Behalf Of </b>Mark Kraynak<br>
<b>Sent:</b> Wednesday, June 06, 2012 1:54 PM<br>
<b>To:</b> Ofer Shezaf; <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br>
<b>Subject:</b> Re: [WASC-WAFEC] What should we change in WAFEC 2.0?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">My thoughts are:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">1 – I agree with Ofer to remove the non WAF related criteria.  I realize this will come down to the camp of those that focus on those things (e.g., Ido&F5) and those that don’t (e.g.,
 me&Imperva).  Perhaps a compromise would be to have a section for “related capabilities” outside of the main flow.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2 – we need to have some sort of update on threats.  This normally turns into a complicated discussion of the ontology of threat classification.  Is there a way to avoid that?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">3 – I think the issue that came up here was that the usage of the document and the content of it were at odds.  In particular, when used as a template evaluation tool without any processing
 (which it often is), it results in conflicting “requirements” to evaluate against, especially with regard to deployment mode. I’d suggest taking a middle ground and keeping the deployment modes section, but changing the nature of the content to better explain
 and lend itself to a non-conflicting evaluation, but also to include customer goals / use cases as a section. 
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">I also think that the use cases section could help us solve #2.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">4 – my opinion would be to keep a flat list, but to provide a tool that let’s the customer adjust importance based on their needs.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">5 – I would leave this out of the criteria (since WAFs don’t fix code it doesn’t make sense to have fixing code as an evaluation element).  IMO, this is a better topic for a different
 kind of forum…this tool is supposed to be a tool to evaluate WAFs.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">6 – I think really orienting the criteria to be useable framework for an actual evaluation will make this simpler.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:wasc-wafec-bounces@lists.webappsec.org">wasc-wafec-bounces@lists.webappsec.org</a>
<a href="mailto:[mailto:wasc-wafec-bounces@lists.webappsec.org]">[mailto:wasc-wafec-bounces@lists.webappsec.org]</a>
<b>On Behalf Of </b>Ofer Shezaf<br>
<b>Sent:</b> Wednesday, June 06, 2012 4:39 AM<br>
<b>To:</b> <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br>
<b>Subject:</b> [WASC-WAFEC] What should we change in WAFEC 2.0?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Since you are all very quiet, I understand that WAFEC 2 will solve my pain and needs only
</span><span style="font-family:Wingdings;color:#1F497D">J</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">To that end, let me start with summarizing issues raised in the previous discussions on the mailing list (which I actually went and read…).<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">No specific order intended. This is what you wrote, though I must say I think it captures well the issues I am aware of and that generally speaking I agree with most.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><b><u><span style="color:#1F497D">Remove non WAF related criteria</span></u></b><span style="color:#1F497D"> for example around application delivery.
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">While integrating a WAF with other solutions is compelling to the client, it is not directly about WAFs and is also unbounded. This does present the challenge deciding what is relevant to a WAF in border
 cases such as an SSO functionality <o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><b><u><span style="color:#1F497D">Update the list of threats covered</span></u></b><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><b><u><span style="color:#1F497D">Focus on customer use cases rather than how a WAF operates</span></u></b><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">I think there was some hidden controversy here as I read opinions to focus on “technical” which I take to be opposite. I personally very much agree with this comment.
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><b><u><span style="color:#1F497D">Not just a laundry list</span></u></b><span style="color:#1F497D"> –
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Classify the importance of requirements. I believe that a minimal approach specifying several levels, for example: “mandatory”, “important”, “nice to have” and “site specific”.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Another complementing idea is to classify requirements as “security”/”functionality”/”performance” etc. letting the user determine if he prefers security over functionality etc.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">This would also provide the minimum requirements for a solution to be a WAF – the “mandatory” requirements.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Regarding site specific requirements, it should be easy to the user to determine his own requirements, for example using a decision tree.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><b><span style="color:#1F497D"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">     
</span></span></span></b><![endif]><b><u><span style="color:#1F497D">The “ethical” questions:<o:p></o:p></span></u></b></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">How to address alternative solutions such as fixing the code?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><b><u><span style="color:#1F497D">Outreach</span></u></b><span style="color:#1F497D"> – beyond the document<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Approaching NSS, ICSA and the likes to use WAFEC<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Release process, PR etc.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Managing a list of public references to WAFEC<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo4">
<![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><span style="color:#1F497D">Promote actual evaluations data sharing - No more spreadsheets.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo4">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">7.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">Specific notes on V1, I have collected for further work.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">A major question raised with opinions on both sides was a re-write vs. an update. I do think that understanding the requirements should direct that. Some issues raised which directly
 relate to that are:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo6">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">Is the order of sections correct?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo6">
<![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">     
</span></span></span><![endif]><span style="color:#1F497D">Incorporating the German OWASP chapter work on the same subject:
</span><span style="color:black"><a href="http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls">http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls</a></span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">~ Ofer<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ofer Shezaf [<a href="mailto:ofer@shezaf.com">mailto:ofer@shezaf.com</a>]
<br>
<b>Sent:</b> Thursday, May 31, 2012 1:45 PM<br>
<b>To:</b> <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br>
<b>Subject:</b> WAFEC 2.0 phase 1: exploratory discussion (deadline: June 14th)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Thanks to all who volunteered to contribute to this project going forward (and those who didn’t – you still can!)<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">I would like to boot up the project with a short exploratory phase identifying why we need a new release and therefore what we need in it.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">To guide the discussion, I think that the reasons we need v2 fall into two categories:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:81.0pt;text-indent:-.25in;mso-list:l0 level1 lfo8;vertical-align:middle">
<![if !supportLists]><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">    
</span></span></span><![endif]>Things that have changed - new (or obsolete) deployment modes, techniques, attacks, or even something new altogether.<span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:81.0pt;text-indent:-.25in;mso-list:l0 level1 lfo8;vertical-align:middle">
<![if !supportLists]><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">    
</span></span></span><![endif]>Issues we discovered in WAFEC over the years. Some issues I encountered are identifying specific requirements and sorting out what’s important and what’s not.<span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle">From this discussion I hope to derive a mission statement, a tasks list and therefore a schedule for the V2 project. All those will be the next phase.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle"><b>I would give this phase two weeks (until June 14<sup>th</sup>), however I am on vacation from the 9<sup>th</sup>, so would accept input but not join the discussion on the last few days.<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle"><b><o:p> </o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in;vertical-align:middle">I would also want to thank Thorsten and Mirko for leading the project until now. I do hope that I will get from you all more cooperation than they did! I would also want to extend a personal
 apology to Thorsten and Mirko as the leader switch was not well coordinated. Thorsten and I discussed this over the last week and he gracefully agreed to let me give a try to leading this project forward.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Thank you all!<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">~ Ofer<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Ofer Shezaf<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt">[+972-54-4431119;
<a href="mailto:ofer@shezaf.com">ofer@shezaf.com</a>, <a href="http://www.shezaf.com">
www.shezaf.com</a>]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
</body>
</html>