wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsVote on making WAFEC a WASC/OWASP project
Ofer,
On Wed, Nov 14, 2012 at 9:30 AM, Ofer Shezaf ofer@shezaf.com wrote:
I know who is WAFEC target audience, however I wonder what would a paid
workshop on WAFEC include.
I suspect it would be similar to being listed at
https://www.owasp.org/index.php/OWASP_Related_Commercial_Services i.e.
WASC would accredit NSS, ICSA, etc once they have attended the
workshop.
Another idea I just thought of would be to evaluate (as an example)
https://www.ironbee.com/ against WAFEC with the intended audience
being those who have no experience with (as an example)
https://www.ironbee.com/ hence they learn about both WAFEC and (as an
example) https://www.ironbee.com/ in the workshop.
--
Regards,
Christian Heinrich
Christian,
I figured it out finally! The English accent you have is not Australian, it
is URLese! :-)
To the point:
-
I think that your idea about creating a workshop based on a test case of
evaluating an open source WAF based on WAFEC is a good one. I would choose
ModSecurity as it would be of interest to more people. As mentioned by
Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
individual initiative. The closest we can get is creating the training
materials. If there is a volunteer to do so, I am willing to do include
creating such training material it in the project scope. -
As to certifying test labs to do WAFEC evaluation: I think we should
socialize WAFEC with them to use it as a reference is their work. Actual
certification is complex, prone to create problems (legal comes to mind) and
would probably not be endorsed by ICSA and NSS unless we make WAFEC
ubiquitous. OWASP did not progress in this respect in any project as far as
I know even though the issue is raised from time to time. To sum up: this is
not something we ready for.
~ Ofer
-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au]
Sent: Wednesday, November 14, 2012 4:02 AM
To: Ofer Shezaf
Cc: Achim Hoffmann; wasc-wafec@lists.webappsec.org
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at
AppSec EU2013
Ofer,
On Wed, Nov 14, 2012 at 9:30 AM, Ofer Shezaf ofer@shezaf.com wrote:
I know who is WAFEC target audience, however I wonder what would a
paid workshop on WAFEC include.
I suspect it would be similar to being listed at
https://www.owasp.org/index.php/OWASP_Related_Commercial_Services i.e.
WASC would accredit NSS, ICSA, etc once they have attended the workshop.
Another idea I just thought of would be to evaluate (as an example)
https://www.ironbee.com/ against WAFEC with the intended audience being
those who have no experience with (as an example) https://www.ironbee.com/
hence they learn about both WAFEC and (as an
example) https://www.ironbee.com/ in the workshop.
--
Regards,
Christian Heinrich
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was,
as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has
to pay for.
However, I'm open to manage that too, but that should cover more than one product
to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
Achim
Am 13.11.2012 23:20, schrieb Christian Heinrich:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
...
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can reserve
a slot for a talk/presentation and also for a one or half day training or workshop.
Certainly. I think that this is what I understood as well. As a suggestion, maybe in order to provide context for such a workshop it can be set up as a panel (vendors or othes).
~ Ofer
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Wednesday, November 14, 2012 6:46 PM
To: wasc-wafec@lists.webappsec.org
Cc: Christian Heinrich; Ofer Shezaf
Subject: Re: WASC/OWASP Web,Application Firewall Evaluation Criteria at AppSec EU2013
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was, as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has to pay for.
However, I'm open to manage that too, but that should cover more than one product to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
Achim
Am 13.11.2012 23:20, schrieb Christian Heinrich:
Ofer,
I believe the intended audience of a workshop would be:
- WAF Vendor(s) preparing documentation to support WAFEC.
2a. https://www.nsslabs.com/, https://www.icsalabs.com/, etc
preforming independent verification of WAFEC against WAF Vendor claim
on behalf of an end user.
2b. http://www.dsd.gov.au/infosec/aisep/providers.htm with the
specific end user being Government. - End User evaluating WAF solutions based on a combination of the above.
On Wed, Nov 14, 2012 at 9:09 AM, Ofer Shezaf ofer@shezaf.com wrote:
I think that a presentation is a no brainer. As to workshop, since I really hope we would have a result to show, workshop for discussion would not be very useful. A training workshop would require an agenda and a commitment of a trainer to prepare a quality course that people will pay for. I personally am not sure what would be the content of such a training session. If anyone has a clear ideas as to what that be, we can either launch that as a WAFEC initiative or leave it to anyone who think it is a good business to do.
...
On Tue, Nov 13, 2012 at 11:45 PM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi,
as we (OWASP Germany) are currently planing for AppSec EU2013, I can
reserve a slot for a talk/presentation and also for a one or half day training or workshop.
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the
core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was
growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits
rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry
Server from United Security Providers. Its a good filtering technique to check
the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is
no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I
think an organisation has an interest in defining types of data which must not
leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm
not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and
the use case. As a common minium I see "do something more than a traditional
firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Hi Erwin,
The document I shared is only an outline. I included some text to make the sections intention more clear but there are in no way comprehensive. The people volunteering to write the different sections will fill them in and I am sure would take into consideration your input.
To that end: do you want to take one of the remaining chapters to write? Should I list you on the contributors page (http://projects.webappsec.org/w/page/54150727/WAFEC%202)
I do have a few of your remarks outside of the context of a specific chapter:
-
We regard to your additions to the use cases chapter: we had a discussion about what to include in the definition and use cases for a WAF . This is not an easy subject and also prone to vendor bias (for each vendor the functionality they provide is a WAF). The decision was to be restrictive to application protection as described in chapter 3 (which itself is still not written). As other features can be very beneficial to the customer as well, even for security, we decided to include all those in an appendix (6.1, "Integrated functionality"). In this framework, each of the additional features you suggest (Authorization and Authentication, DLP, Architecture masking, load balancing and application monitoring are those I notices) should find their place in either section 3.3 if they offer a protection technique or in section 6.1 if they are complementary and of value but do not cover a threat.
-
Minimum requirements is indeed a challenging section, however I think it is important. Otherwise you will find that any IPS or network firewall can be labeled as a WAF (or an Espresso Machine :-))
-
Section 4.3 address compatibility with web applications rather than addition features for application delivery.
~ Ofer
-----Original Message-----
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Thursday, November 15, 2012 11:58 AM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: WAFEC 2 outline
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry Server from United Security Providers. Its a good filtering technique to check the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I think an organisation has an interest in defining types of data which must not leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and the use case. As a common minium I see "do something more than a traditional firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Hi Ofer
Thank you for your explanations.
I understand the neutrality vs. vendor conflict - I think there is no "real" objective view. Anyone has its own use cases and own solutions in mind - whether he is a vendor, a user of some concrete implementations or a consultant which likes some concepts and dislikes others.
When I have a look at the use cases ("Logging and Troubleshooting", "Attack Detection", "Attack Mitigation" and "Virtual Patching") then I think: why is "Virtual Patching" a use case for its own? Isn't it a specialized attack mitigation? The difference in virtual patching is, that you know exactly what vulnerability the application has. In general mitigation you don't have to know that. In my eyes Authentication is a real "other" security use case not just a specialized use case. I won't insist on that - just my thoughts.
I see the argumentation of "minimum requirements" - yes an Espresso Machine must not be mistaken as a WAF ;-) Good argumentation. I think the differenciation should go into the "2.1 Definition". I understand a "definition" as more specific than minimal requirements. What would be written in one paragraph what doesn't fit in the other? There is a risk of writing twice the same in different words.
OK, security features are placed i n3.3 - other features in 6.1. The outline draft mentions "6.1 Non-Technical Criteria". The non-technical criteria are important - I would not skip that. So there is another 6.1 chapter? Since features are a technical criteria.
I volunteer to write the appendix "Additional Features", "Alternative and Complementary Solutions", "Non-technical criteria". In the moment I can't estimate "Testing Framework" and "Suggested Weighting Schemes". Maybe it's also possible for me to do - can you explain the ideas?
erwin
----- Original Message -----
From: "Ofer Shezaf" ofer@shezaf.com
To: "Erwin Huber" erwin.huber@ergon.ch
Cc: wasc-wafec@lists.webappsec.org
Sent: Thursday, November 15, 2012 9:21:38 PM
Subject: RE: WAFEC 2 outline
Hi Erwin,
The document I shared is only an outline. I included some text to make the sections intention more clear but there are in no way comprehensive. The people volunteering to write the different sections will fill them in and I am sure would take into consideration your input.
To that end: do you want to take one of the remaining chapters to write? Should I list you on the contributors page (http://projects.webappsec.org/w/page/54150727/WAFEC%202)
I do have a few of your remarks outside of the context of a specific chapter:
-
We regard to your additions to the use cases chapter: we had a discussion about what to include in the definition and use cases for a WAF . This is not an easy subject and also prone to vendor bias (for each vendor the functionality they provide is a WAF). The decision was to be restrictive to application protection as described in chapter 3 (which itself is still not written). As other features can be very beneficial to the customer as well, even for security, we decided to include all those in an appendix (6.1, "Integrated functionality"). In this framework, each of the additional features you suggest (Authorization and Authentication, DLP, Architecture masking, load balancing and application monitoring are those I notices) should find their place in either section 3.3 if they offer a protection technique or in section 6.1 if they are complementary and of value but do not cover a threat.
-
Minimum requirements is indeed a challenging section, however I think it is important. Otherwise you will find that any IPS or network firewall can be labeled as a WAF (or an Espresso Machine :-))
-
Section 4.3 address compatibility with web applications rather than addition features for application delivery.
~ Ofer
-----Original Message-----
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Thursday, November 15, 2012 11:58 AM
To: Ofer Shezaf
Cc: wasc-wafec@lists.webappsec.org
Subject: WAFEC 2 outline
Dear WAFEC readers and contributors
I'm Erwin Huber - Head of R&D Web Application Security at Ergon Informatik AG.
Ergon is the vendor of the web application firewall Airlock. WAFs have been the core of my professional life for the last 10 years.
My post comes in the last minute - since I didn't realize, that wafec 2 was growing. Sorry for that.
I appreciate the new approach for the document a lot. To focus on benefits rather than internas is a userfriendly approach.
In chapter 2.2 I suggest the following new Use Cases:
2.2.5 Authorization and Authentication
2.2.6 Architecture Masking
2.2.7 Data Leakage Prevention
Authorization and authentication is a relevant part of the "swiss-style" WAFs.
This is not only Airlock but also Nevis Proxy from Adnovum and Secure Entry Server from United Security Providers. Its a good filtering technique to check the users first if you know that only well known users are allowed on a system.
Airport security does the same thing.
Architecture masking is a benefit that reverse proxy are bringing. There is no information about what logic is implemented on which back-end system.
Today's WAFs (including Airlock) are not good in Data Leakage Prevention. But I think an organisation has an interest in defining types of data which must not leave the perimeter (e.g. unmasked credit card numbers).
Web applications are not the only path infromation can leave a system - so I'm not sure but it's at least worth discussing the issue.
2.3 Minimum Requirement
I don't think this is very useful. The minimum highly depends on the needs and the use case. As a common minium I see "do something more than a traditional firewll on http/https checks". I just don't see the point.
3.3.1 Positive Security
What is the meaning of "URL rewrite and REST interface support"?
I propose as additional content in the paragraph "generic positive security" -
this might include automated general protection techniques such as cookie
protection, form parameter signatures, url encyrption/signing (workflow
binding, anti forceful browsing, anti csrf), declarative whitelisting (the
back-end application defines characteristics of parameters - such as pattern
in web forms 2.0).
3.3.5 Session Tracking
I propose the additional content "client fingerprinting".
I propose the additional paragraphs:
3.3.6 Content Modification
for DLP, hiding of error pages, ...
3.3.7 Upstream Authentication
4.3.2 Authentication Support
I'm astonished about the mention of NTLM. For me its a bug not a feature to
allow NTLM authentication on a public accessible server. NTLM relaying is a
known real problem for more than 10 years. Even MS says "do not use NTLM".
Zack Fasel presented his "ZackAttack" Tool on BlackHat 2012:
https://github.com/zfasel/ZackAttack
A good WAF must have the ability to prevent NTLM authentication - not allow
it.
I propose the additional paragraphs:
4.3.3 Application Monitoring and Load Balancing
Monitor the health state of a back-end server and take measurements
(display not-available page, switch to another server instance, ...)
Defining more than one back-end host providing the same content allows an
SSL endpoint (such as reverse proxy) session-aware load balancing. All requests
for the same user session are reliable on the same back-end system.
5.1 Managment
Why is there no mention for "web interface"?
6.1 Non-technical Criteria
(just a typo in the title)
I'd be more than happy to provide content for the additional sections I propose
above.
Any thougths / comments on my propositions?
best regards
erwin
Ofer,
On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf ofer@shezaf.com wrote:
To the point:
- I think that your idea about creating a workshop based on a test case of
evaluating an open source WAF based on WAFEC is a good one. I would choose
ModSecurity as it would be of interest to more people. As mentioned by
Jeremiah and Bob, this is not an activity WASC would do, rather it can be an
individual initiative. The closest we can get is creating the training
materials. If there is a volunteer to do so, I am willing to do include
creating such training material it in the project scope.
I believe selecting ModSecurity as the sole example is too much of a
risk to WAFEC based on the continued corrupt conduct of Tom Brennan
(Trustwave and OWASP Board) as demonstrated within
http://lists.owasp.org/pipermail/global-projects-committee/2011-September/002349.html,
etc
That stated and based on your long association with ModSecurity with
Breach i.e. https://www.trustwave.com/pressReleases.php?n=062210
there would be some value. Therefore, I believe we should open this
to other Open Source WAF examples, such as https://www.ironbee.com/,
etc to make it fair to other open source vendors.
On Wed, Nov 14, 2012 at 8:31 PM, Ofer Shezaf ofer@shezaf.com wrote:
- As to certifying test labs to do WAFEC evaluation: I think we should
socialize WAFEC with them to use it as a reference is their work. Actual
certification is complex, prone to create problems (legal comes to mind) and
would probably not be endorsed by ICSA and NSS unless we make WAFEC
ubiquitous. OWASP did not progress in this respect in any project as far as
I know even though the issue is raised from time to time. To sum up: this is
not something we ready for.
I agree with the above. Ironically, the creator of their (OWASP)
Commercial Registry was also involved with Common Criteria and he left
the project and OWASP due to continued conflict with Dinis Cruz, who
continues to make hypocritical statements about OWASP to this day.
I would prefer that our roadmap included socialising with ICSA, NSS,
etc for this upcoming release (v2) and the next release (v3) it is an
endorsed standard. Obviously ICSA, NSS, etc could advise on what is
required and possibly sponsor WAFEC's delivery on this second point.
--
Regards,
Christian Heinrich
Achim,
It is interesting to note that OWASP blew $246,636.04 of vendor (i.e.
what OWASP accuse WASC of being) donations on their last (2nd) Summit
i.e. https://lists.owasp.org/pipermail/committees-chairs/2011-July/000322.html
without any promised tangible result or outcome i.e.
http://lists.owasp.org/pipermail/owasp-summit-2011/2010-August/000025.html,
http://appsandsecurity.blogspot.com.au/2011/02/another-owasp-paperware-project-anyone.html,
etc but at least the wife gets a holiday for free
https://www.owasp.org/index.php/Summit_2011/External_Contractors#Sarah_Cruz
I am not against having a summit (at OWASP or somewhere else) provided
we avoid the poor and deliberate mistakes that OWASP has made time and
time again.
Let's wait until we get the draft together and then raise the
possibility of meeting in person. If this is well before July, and it
should be, then let's aim for
https://www.owasp.org/index.php/AppSecEU2013 to discuss the final
version of WAFEC v2?
On Thu, Nov 15, 2012 at 3:45 AM, Achim Hoffmann websec10@sic-sec.org wrote:
Hi all,
when I was informing about the possibility of "taining or workshop" my intent was,
as Christian described, to bring together authors, contributors and friends.
I had not in mind to make a traditional (OWASP) training which the audience has
to pay for.
However, I'm open to manage that too, but that should cover more than one product
to attract people.
A talk about the WAFEC work and result should then be done too.
Does this clarify things?
--
Regards,
Christian Heinrich
Robert,
On Wed, Nov 14, 2012 at 9:34 AM, Robert A. robert@webappsec.org wrote:
I'm not trying to discourage such communication, just that we don't find
ourselves doing this on behalf of WASC (without an officer vote since this
would be setting a precident).
I would agree that it needs to go to a (WASC Office Bearer) vote but
would like this considered on the context that it is socialised with
NSS, ISCA, etc first so that all the facts and information are known
during the development of WAFEC v3.
--
Regards,
Christian Heinrich