<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Comments inline below.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Ofer Shezaf <<a href="mailto:ofer@shezaf.com">ofer@shezaf.com</a>><br><span style="font-weight:bold">Date: </span> Wed, 6 Jun 2012 14:39:29 +0300<br><span style="font-weight:bold">To: </span> <<a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a>><br><span style="font-weight:bold">Subject: </span> [WASC-WAFEC] What should we change in WAFEC 2.0?<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.EmailStyle18
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:28579601;
        mso-list-type:hybrid;
        mso-list-template-ids:841373878 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:45.0pt;
        text-indent:-18.0pt;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:81.0pt;
        text-indent:-18.0pt;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:117.0pt;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:153.0pt;
        text-indent:-18.0pt;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:189.0pt;
        text-indent:-18.0pt;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:225.0pt;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:261.0pt;
        text-indent:-18.0pt;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:297.0pt;
        text-indent:-18.0pt;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:333.0pt;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:524828129;
        mso-list-type:hybrid;
        mso-list-template-ids:1010098160 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l1:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l1:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l1:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l1:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l1:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l1:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l1:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l1:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l2
        {mso-list-id:845097358;
        mso-list-type:hybrid;
        mso-list-template-ids:-646421752 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l2:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l2:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l2:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l2:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l2:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l2:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l2:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l2:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l3
        {mso-list-id:1710716281;
        mso-list-type:hybrid;
        mso-list-template-ids:1493842418 67698703 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l3:level2
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l4
        {mso-list-id:1778209653;
        mso-list-type:hybrid;
        mso-list-template-ids:-345471772 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l4:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l4:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l4:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l4:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0cm;}
ul
        {margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">Since you are all very quiet, I understand that WAFEC 2 will solve my pain and needs only </span><span style="font-family:Wingdings;color:#1F497D">J</span><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">To that end, let me start with summarizing issues raised in the previous discussions on the mailing list (which I actually went and read…).<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">No specific order intended. This is what you wrote, though I must say I think it captures well the issues I am aware of and that generally speaking I agree with most.<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">Remove non WAF related criteria</span></u></b><span style="color:#1F497D"> for example around application delivery. <o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">While integrating a WAF with other solutions is compelling to the client, it is not directly about WAFs and is also unbounded. This does present the challenge deciding what is relevant to a WAF in border cases such as an SSO functionality</span></p></div></div></div></blockquote></span><div><br></div><div>I recommend that we consider using a "Levels" approach similar to what OWASP ASVS uses - <a href="http://code.google.com/p/owasp-asvs/wiki/ASVS">http://code.google.com/p/owasp-asvs/wiki/ASVS</a>.  This way, we can group items and the user can be clear which items are considered "core" WAF features and which ones provide added value.</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><span style="color:#1F497D"> <o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">Update the list of threats covered</span></u></b></p></div></div></div></blockquote></span><div><br></div><div>I agree that we should map to the WASC TC.  The OWASP German Chapter did something similar with the WAF Best Practices document listing coverage for the OWASP Top 10 2007 - <a href="https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls">https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls</a>.  This will help to show which attack/vuln categories WAFs excel at mitigating (injection flaws, info leakages) and which ones they don't (authorization, logic flaws).</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">Focus on customer use cases rather than how a WAF operates</span></u></b><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">I think there was some hidden controversy here as I read opinions to focus on “technical” which I take to be opposite. I personally very much agree with this comment.</span></p></div></div></div></blockquote></span><div><br></div><div>OK, I guess here is as good a place as any to state my two biggest issues I think we need to address with WAFEC -</div><div><br></div><div>1) Minimum Requirements for WAF – whether we like it or not, most WAFEC users tried to use it as  a "minimum requirements" document.  I can't tell you how many times I was sent the speadsheet by a WAF prospect and asked how our WAF "conformed" to it…  So, I do think that we need to re-organize the data so that there is a clear distinction between what features a product <span style="font-weight: bold">must</span> have to be considered a WAF.  This is an important issue as there are many other vendors in the FW/IPS space that tout that they can do the same things as WAFs and that is just marketing BS.  For instance – in Larry Suto's WAF Eval doc (<a href="http://www.manvswebapp.com/wp-content/uploads/Analyzing_Effectiveness_of_Web_Application_Firewalls.pdf">http://www.manvswebapp.com/wp-content/uploads/Analyzing_Effectiveness_of_Web_Application_Firewalls.pdf</a>) one of the general takeaways was that an IPS configured with virtual patches from a DAST scanner would be just as effective as a WAF.  I disagree as there were other categories of vulns that weren't tested and also I don't believe that the testing scenario used any simulated user traffic to allow the WAFs auto-learning/profiling systems create profiles…  </div><div><br></div><div>Another example to consider is PCI DSS supplemental document for Requirement 6.6 - <a href="https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf">https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf</a>.  The most relevant section is the "Recommended Capabilities" section where it states that it should be able to enforce both negative and positive security models.  I believe that this item alone will disqualify network FW/IPS as they only do negative security/blacklist filtering (as far as I understand).</div><div><br></div><div>2) WAF Testing – people use WAFEC during WAF bake-offs when they are evaluating multiple WAFs.  Unfortunately, the actual "testing" or evaluating of WAFs against each other is an exercise left to the user…  I had to laugh when one prospect said that they chose one WAF over ours because they ran a scanner agains the website and the competitor's WAF produced more alerts than ours so it had to be <span style="font-weight: bold">better</span>.  :(  I explained to the prospect that this was a flawed testing design as our product consolidates multiple individual alerts into an overall summary alert for the transaction as a whole.  This was used to help with event management in production.  Needless to say, they ended up with our product after trying to use the competitors product and were flooded with alerts that they could not manage.  </div><div><br></div><div>For this reason, I believe that we should attempt to make some type of agreed upon testing methodology for users to follow.  How should users actually test WAFs to ensure that they are working as advertised?</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><span style="color:#1F497D"> <o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">Not just a laundry list</span></u></b><span style="color:#1F497D"> – <o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Classify the importance of requirements. I believe that a minimal approach specifying several levels, for example: “mandatory”, “important”, “nice to have” and “site specific”.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Another complementing idea is to classify requirements as “security”/”functionality”/”performance” etc. letting the user determine if he prefers security over functionality etc.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">This would also provide the minimum requirements for a solution to be a WAF – the “mandatory” requirements.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Regarding site specific requirements, it should be easy to the user to determine his own requirements, for example using a decision tree.</span></p></div></div></div></blockquote></span><div><br></div><div> I touched on some of these in earlier comments.  WE need to clearly specify minimum requirements for WAF.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><b><span style="color:#1F497D"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">       </span></span></span></b><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">The “ethical” questions:<o:p></o:p></span></u></b></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">How to address alternative solutions such as fixing the code?</span></p></div></div></div></blockquote></span><div><br></div><div>This can indirectly be addressed by having a mapping to WASC TC and providing mitigation coverage for each issue.  This will highlight attack/vuln types that can be better addressed within the code.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><b><u><span style="color:#1F497D">Outreach</span></u></b><span style="color:#1F497D"> – beyond the document<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Approaching NSS, ICSA and the likes to use WAFEC</span></p></div></div></div></blockquote></span><div><br></div><div>This is important for the "WAF Testing" issue I raised above.  Users need guidance on how to run WAF testing during bake-offs.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Release process, PR etc.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Managing a list of public references to WAFEC<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l3 level2 lfo4"><!--[if !supportLists]--><span style="color: rgb(31, 73, 125); "><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">         </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Promote actual evaluations data sharing - No more spreadsheets.<o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l3 level1 lfo4"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">7.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Specific notes on V1, I have collected for further work.<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">A major question raised with opinions on both sides was a re-write vs. an update. I do think that understanding the requirements should direct that. Some issues raised which directly relate to that are:<o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l4 level1 lfo6"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Is the order of sections correct?</span></p></div></div></div></blockquote></span><div><br></div><div>This brings up the issue of WAF Deployment Model.  This should probably be one of the first items listed as the choice of deployment model directly impacts many other capabilities.  </div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l4 level1 lfo6"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l4 level1 lfo6"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">       </span></span></span><!--[endif]--><span dir="LTR"></span><span style="color:#1F497D">Incorporating the German OWASP chapter work on the same subject: </span><span style="color:black"><a href="http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls">http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls</a></span></p></div></div></div></blockquote></span><div><br></div><div>In my view, WAFEC would function as a sub-chapter within this document.  The OWASP WAF Best Practices doc starts off discussing the rationale for even considering a WAF.  Once they make this decision, they would use WAFEC to evaluate products.  Once they choose a WAF, then they go back to the OWASP WAF Best Practices document for deciding how to integrate it and manage it.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l4 level1 lfo6"><span style="color:#1F497D"><o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><div><p class="MsoNormal"><span style="color:#1F497D">~ Ofer<o:p></o:p></span></p></div><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "> Ofer Shezaf [<a href="mailto:ofer@shezaf.com">mailto:ofer@shezaf.com</a>] <br><b>Sent:</b> Thursday, May 31, 2012 1:45 PM<br><b>To:</b> <a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a><br><b>Subject:</b> WAFEC 2.0 phase 1: exploratory discussion (deadline: June 14th)<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Thanks to all who volunteered to contribute to this project going forward (and those who didn’t – you still can!)<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">I would like to boot up the project with a short exploratory phase identifying why we need a new release and therefore what we need in it.<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">To guide the discussion, I think that the reasons we need v2 fall into two categories:<o:p></o:p></p><p class="MsoNormal" style="margin-left:45.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:middle"><!--[if !supportLists]--><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">      </span></span></span><!--[endif]--><span dir="LTR"></span>Things that have changed - new (or obsolete) deployment modes, techniques, attacks, or even something new altogether.<span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p></o:p></span></p><p class="MsoNormal" style="margin-left:45.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:middle"><!--[if !supportLists]--><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">      </span></span></span><!--[endif]--><span dir="LTR"></span>Issues we discovered in WAFEC over the years. Some issues I encountered are identifying specific requirements and sorting out what’s important and what’s not.<span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p></o:p></span></p><p class="MsoNormal" style="vertical-align:middle"><o:p> </o:p></p><p class="MsoNormal" style="vertical-align:middle">From this discussion I hope to derive a mission statement, a tasks list and therefore a schedule for the V2 project. All those will be the next phase. <o:p></o:p></p><p class="MsoNormal" style="vertical-align:middle"><o:p> </o:p></p><p class="MsoNormal" style="vertical-align:middle"><b>I would give this phase two weeks (until June 14<sup>th</sup>), however I am on vacation from the 9<sup>th</sup>, so would accept input but not join the discussion on the last few days.<o:p></o:p></b></p><p class="MsoNormal" style="vertical-align:middle"><b><o:p> </o:p></b></p><p class="MsoNormal" style="vertical-align:middle">I would also want to thank Thorsten and Mirko for leading the project until now. I do hope that I will get from you all more cooperation than they did! I would also want to extend a personal apology to Thorsten and Mirko as the leader switch was not well coordinated. Thorsten and I discussed this over the last week and he gracefully agreed to let me give a try to leading this project forward.<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Thank you all!<o:p></o:p></p><p class="MsoNormal">~ Ofer<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Ofer Shezaf<o:p></o:p></p><p class="MsoNormal"><span style="font-size:10.0pt">[+972-54-4431119; <a href="mailto:ofer@shezaf.com">ofer@shezaf.com</a>, <a href="http://www.shezaf.com">www.shezaf.com</a>]<o:p></o:p></span></p><p class="MsoNormal"><o:p> </o:p></p></div></div></div>_______________________________________________
wasc-wafec mailing list
<a href="mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappsec.org</a>
<a href="http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org">http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org</a>
</blockquote></span></body></html>