Empathy List Archives

wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

View all threads

Re: [WASC-WAFEC] What should we change in WAFEC 2.0?

matthieu.estrade

Wed, Jun 6, 2012 4:21 PM

Hi, my comments in the text.

REMOVE NON WAF RELATED CRITERIA for example around application
delivery.
· While integrating a WAF with other solutions is compelling to the
client, it is not directly about WAFs and is also unbounded. This
does
present the challenge deciding what is relevant to a WAF in border
cases such as an SSO functionality

There is only a few WAF only product so it's difficult to exclude it
from others features.
Then depending on analyst description, the WAF product is not very
clear.

It's mostly about filtering, but what about availability ?
It can do strong authentication, and authorization, but is not doing
SSO.
There is also all XML / SOAP attacks, it's badly handled by XML gateway
today, and many WAF are doing this.

UPDATE THE LIST OF THREATS COVERED

I agree here, there is many things to add about JSON and XML parsing
and analysis, SOAP, Ajax issues etc.

FOCUS ON CUSTOMER USE CASES RATHER THAN HOW A WAF OPERATES

· I think there was some hidden controversy here as I read opinions
to focus on "technical" which I take to be opposite. I personally
very
much agree with this comment.

NOT JUST A LAUNDRY LIST -

· Classify the importance of requirements. I believe that a minimal
approach specifying several levels, for example: "mandatory",
"important", "nice to have" and "site specific".

· Another complementing idea is to classify requirements as
"security"/"functionality"/"performance" etc. letting the user
determine if he prefers security over functionality etc.

· This would also provide the minimum requirements for a solution to
be a WAF - the "mandatory" requirements.

· Regarding site specific requirements, it should be easy to the
user to determine his own requirements, for example using a decision
tree.

THE "ETHICAL" QUESTIONS:

· How to address alternative solutions such as fixing the code?

OUTREACH - beyond the document

· Approaching NSS, ICSA and the likes to use WAFEC

· Release process, PR etc.

· Managing a list of public references to WAFEC

· Promote actual evaluations data sharing - No more spreadsheets.

Depending companies who evaluate WAF, it's not easy to share this kind
of informations.
But i agree that it could be better to share more here.

Specific notes on V1, I have collected for further work.

A major question raised with opinions on both sides was a re-write
vs. an update. I do think that understanding the requirements should
direct that. Some issues raised which directly relate to that are:

WAFEC v1 is used by companies to evaluate vendors, we (vendor) receive
the document and answer in a xls document, as asked.
imho, the current format with section is good and useful.

Is the order of sections correct?
Incorporating the German OWASP chapter work on the same subject:

http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
[1]

I see this project as more on operation side than the WAFEC which is
more when people are thinking to a WAF.
Just linking to this project inside WAFEC is a good point imho.

~ Ofer

FROM: Ofer Shezaf [mailto:ofer@shezaf.com]
SENT: Thursday, May 31, 2012 1:45 PM
TO: wasc-wafec@lists.webappsec.org
SUBJECT: WAFEC 2.0 phase 1: exploratory discussion (deadline: June
14th)

Thanks to all who volunteered to contribute to this project going
forward (and those who didn't - you still can!)

I would like to boot up the project with a short exploratory phase
identifying why we need a new release and therefore what we need in
it.

To guide the discussion, I think that the reasons we need v2 fall
into two categories:

Things that have changed - new (or obsolete) deployment modes,
techniques, attacks, or even something new altogether.
Issues we discovered in WAFEC over the years. Some issues I
encountered are identifying specific requirements and sorting out
what's important and what's not.

From this discussion I hope to derive a mission statement, a tasks
list and therefore a schedule for the V2 project. All those will be
the next phase.

I WOULD GIVE THIS PHASE TWO WEEKS (UNTIL JUNE 14TH), HOWEVER I AM ON
VACATION FROM THE 9TH, SO WOULD ACCEPT INPUT BUT NOT JOIN THE
DISCUSSION ON THE LAST FEW DAYS.

I would also want to thank Thorsten and Mirko for leading the project
until now. I do hope that I will get from you all more cooperation
than they did! I would also want to extend a personal apology to
Thorsten and Mirko as the leader switch was not well coordinated.
Thorsten and I discussed this over the last week and he gracefully
agreed to let me give a try to leading this project forward.

Thank you all!

~ Ofer

Ofer Shezaf

[+972-54-4431119; ofer@shezaf.com [2], www.shezaf.com [3]]

Links:

[1]
http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
[2] mailto:ofer@shezaf.com
[3] http://www.shezaf.com

Hi, my comments in the text. > 1. REMOVE NON WAF RELATED CRITERIA for example around application > delivery. > · While integrating a WAF with other solutions is compelling to the > client, it is not directly about WAFs and is also unbounded. This > does > present the challenge deciding what is relevant to a WAF in border > cases such as an SSO functionality There is only a few WAF only product so it's difficult to exclude it from others features. Then depending on analyst description, the WAF product is not very clear. It's mostly about filtering, but what about availability ? It can do strong authentication, and authorization, but is not doing SSO. There is also all XML / SOAP attacks, it's badly handled by XML gateway today, and many WAF are doing this. > > 2. UPDATE THE LIST OF THREATS COVERED I agree here, there is many things to add about JSON and XML parsing and analysis, SOAP, Ajax issues etc. > > 3. FOCUS ON CUSTOMER USE CASES RATHER THAN HOW A WAF OPERATES > > · I think there was some hidden controversy here as I read opinions > to focus on "technical" which I take to be opposite. I personally > very > much agree with this comment. > > 4. NOT JUST A LAUNDRY LIST - > > · Classify the importance of requirements. I believe that a minimal > approach specifying several levels, for example: "mandatory", > "important", "nice to have" and "site specific". > > · Another complementing idea is to classify requirements as > "security"/"functionality"/"performance" etc. letting the user > determine if he prefers security over functionality etc. > > · This would also provide the minimum requirements for a solution to > be a WAF - the "mandatory" requirements. > > · Regarding site specific requirements, it should be easy to the > user to determine his own requirements, for example using a decision > tree. > > 5. THE "ETHICAL" QUESTIONS: > > · How to address alternative solutions such as fixing the code? > > 6. OUTREACH - beyond the document > > · Approaching NSS, ICSA and the likes to use WAFEC > > · Release process, PR etc. > > · Managing a list of public references to WAFEC > > · Promote actual evaluations data sharing - No more spreadsheets. > Depending companies who evaluate WAF, it's not easy to share this kind of informations. But i agree that it could be better to share more here. > 7. Specific notes on V1, I have collected for further work. > > A major question raised with opinions on both sides was a re-write > vs. an update. I do think that understanding the requirements should > direct that. Some issues raised which directly relate to that are: WAFEC v1 is used by companies to evaluate vendors, we (vendor) receive the document and answer in a xls document, as asked. imho, the current format with section is good and useful. > > 1. Is the order of sections correct? > > 2. Incorporating the German OWASP chapter work on the same subject: > > http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls > [1] I see this project as more on operation side than the WAFEC which is more when people are thinking to a WAF. Just linking to this project inside WAFEC is a good point imho. > > ~ Ofer > > FROM: Ofer Shezaf [mailto:ofer@shezaf.com] > SENT: Thursday, May 31, 2012 1:45 PM > TO: wasc-wafec@lists.webappsec.org > SUBJECT: WAFEC 2.0 phase 1: exploratory discussion (deadline: June > 14th) > > Thanks to all who volunteered to contribute to this project going > forward (and those who didn't - you still can!) > > I would like to boot up the project with a short exploratory phase > identifying why we need a new release and therefore what we need in > it. > > To guide the discussion, I think that the reasons we need v2 fall > into two categories: > > 1. Things that have changed - new (or obsolete) deployment modes, > techniques, attacks, or even something new altogether. > > 2. Issues we discovered in WAFEC over the years. Some issues I > encountered are identifying specific requirements and sorting out > what's important and what's not. > > From this discussion I hope to derive a mission statement, a tasks > list and therefore a schedule for the V2 project. All those will be > the next phase. > > I WOULD GIVE THIS PHASE TWO WEEKS (UNTIL JUNE 14TH), HOWEVER I AM ON > VACATION FROM THE 9TH, SO WOULD ACCEPT INPUT BUT NOT JOIN THE > DISCUSSION ON THE LAST FEW DAYS. > > I would also want to thank Thorsten and Mirko for leading the project > until now. I do hope that I will get from you all more cooperation > than they did! I would also want to extend a personal apology to > Thorsten and Mirko as the leader switch was not well coordinated. > Thorsten and I discussed this over the last week and he gracefully > agreed to let me give a try to leading this project forward. > > Thank you all! > > ~ Ofer > > Ofer Shezaf > > [+972-54-4431119; ofer@shezaf.com [2], www.shezaf.com [3]] > > > > Links: > ------ > [1] > http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls > [2] mailto:ofer@shezaf.com > [3] http://www.shezaf.com