wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

View all threads

Feedback on Introduction

MK
Mark Kraynak
Thu, Feb 14, 2013 9:51 PM
  1. Typo here:  "Different WAFs cam mitigate the same threats just as..." ("cam" should be can)
  2. You list two referent sections in the below.  Is there a built in assumption that the environment suitability section (which I'm WAY behind on, I know) will be structured that way?

Suit the environment it is used in - a WAF is part of an organizations IT environment and has to be compatible with it to be effective. Chapter [ADD REFERENCE] discusses the WAF suitability for its environment.  There are two main areas in which compatibility needs to be evaluated:
Deployment (section [ADD REFERECE]) - ensuring that the WAF suits the network and servers environment it is installed in.
Protected applications (section [ADD REFERECE]) - ensuring both that the protected applications continue to run and are well protected.

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Ofer Shezaf
Sent: Thursday, February 14, 2013 1:13 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] WAFEC updates

Hi All,

Few updates:

*** 0. I still did not find a location for a WAFEC meeting alongside RSA. If someone can arrange for a meeting place for us, I would love to host a WAFEC workshop alongside RSA as I assume many of you will be there. ***

  1. Two drafts published this week for your review:

  2. We had a WAFEC panel as part of the OWASP Israel meeting (https://www.owasp.org/index.php/OWASP_Israel_2013_02). I am sure it was very educating for the 100 or so people joining physical or online, some takes I had which are of significance to WAFEC are:

  • The accuracy issue is a key element that bothers everyone. i.e. how to you really test if a WAF protects from what it claims to protect for. As a document WAFEC does not address that and people asked for a tool to help (Amichai mentioned Imperva will release one as open source shortly).

  • WAFEC users, security people, are often ignorant of what the organization actually use in applications (technologies protocols). WAFEC can never list all of the possible technologies used and may inadvertently cause security practitioners to miss on important requirements. WAFEC must explicitly call for the user to verify and extend the list of requirements, especially with regard protected applications and technologies, but working with the Ops and Dev guys.

  • A question raised for which I found the panel answers lacking was best practices for using WAFs in dev-ops (i.e. continuous deployment) environment.

For those of you in the panel of the audience, feel free to share your takes from the meeting.

~ Ofer

Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]


wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

1) Typo here: "Different WAFs cam mitigate the same threats just as..." ("cam" should be can) 2) You list two referent sections in the below. Is there a built in assumption that the environment suitability section (which I'm WAY behind on, I know) will be structured that way? Suit the environment it is used in - a WAF is part of an organizations IT environment and has to be compatible with it to be effective. Chapter [ADD REFERENCE] discusses the WAF suitability for its environment. There are two main areas in which compatibility needs to be evaluated: Deployment (section [ADD REFERECE]) - ensuring that the WAF suits the network and servers environment it is installed in. Protected applications (section [ADD REFERECE]) - ensuring both that the protected applications continue to run and are well protected. -----Original Message----- From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Ofer Shezaf Sent: Thursday, February 14, 2013 1:13 AM To: wasc-wafec@lists.webappsec.org Subject: [WASC-WAFEC] WAFEC updates Hi All, Few updates: *** 0. I still did not find a location for a WAFEC meeting alongside RSA. If someone can arrange for a meeting place for us, I would love to host a WAFEC workshop alongside RSA as I assume many of you will be there. *** 1. Two drafts published this week for your review: - A second draft of the "What is a WAF" section from Achim. - A first, still rough, draft of the security section from Ryan and Amichai. While still early I thought it's worth sharing. As usual you can find them here: http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline 2. We had a WAFEC panel as part of the OWASP Israel meeting (https://www.owasp.org/index.php/OWASP_Israel_2013_02). I am sure it was very educating for the 100 or so people joining physical or online, some takes I had which are of significance to WAFEC are: - The accuracy issue is a key element that bothers everyone. i.e. how to you really test if a WAF protects from what it claims to protect for. As a document WAFEC does not address that and people asked for a tool to help (Amichai mentioned Imperva will release one as open source shortly). - WAFEC users, security people, are often ignorant of what the organization actually use in applications (technologies protocols). WAFEC can never list all of the possible technologies used and may inadvertently cause security practitioners to miss on important requirements. WAFEC must explicitly call for the user to verify and extend the list of requirements, especially with regard protected applications and technologies, but working with the Ops and Dev guys. - A question raised for which I found the panel answers lacking was best practices for using WAFs in dev-ops (i.e. continuous deployment) environment. For those of you in the panel of the audience, feel free to share your takes from the meeting. ~ Ofer Ofer Shezaf [+972-54-4431119; ofer@shezaf.com, www.shezaf.com] _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org