I am happy to announce we have a first volunteer to own a section. Mark
Kraynak volunteered to own section 4 (Deployment Options).
Thanks you Mark!
~ Ofer
From: Ofer Shezaf [mailto:ofer@shezaf.com]
Sent: Tuesday, October 23, 2012 12:09 PM
To: 'wasc-wafec@lists.webappsec.org'
Subject: WAFEC 2 outline
Hi All,
I found myself recently just writing and writing for WAFEC 2 progressing
well beyond the point at which I should share back to the team and enlist
others to help. Christian's and Ido's contribution reminded me of that. To
that end, I cut back a lot of what I wrote and am now ready with an outline
for your review here:
http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline
I hope the outline addresses most of the issues discussed in the
conversation so far:
. None core WAF items will be in an appendix, however I did mention
the need to take them into consideration in the first chapter under "using
WAFEC".
. Security value is focused on addressing WASC-TC threats.
Protection techniques, which form the bulk of WAFEC 1 security part, are
included as well but are secondary to addressing threats.
. A chapter is devoted to "what is a WAF" which should be
educational rather than used for evaluation, but does provide the background
including use cases.
. Testing methodology, weighting, evaluation excel and alternative
solutions are all demoted to appendixes. Partially because I think they
belong there and partially to avoid delaying to get to a perfection on those
complex issues.
You can read more in the "philosophy" section on the page or inside the
attached outline document.
This is also a call for action:
. Please review and comment on the outline. Deadline for this is Nov
15th.
. Please, in parallel, select the chapter you want to work on from
the list on the page. Note that only if you own and write a section you
will be listed as contributor. Others would be listed as reviewers.
Thanks and looking forward for the hard work!
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
I am happy to announce we have a first volunteer to own a section. Mark
Kraynak volunteered to own section 4 (Deployment Options).
Thanks you Mark!
~ Ofer
From: Ofer Shezaf [mailto:ofer@shezaf.com]
Sent: Tuesday, October 23, 2012 12:09 PM
To: 'wasc-wafec@lists.webappsec.org'
Subject: WAFEC 2 outline
Hi All,
I found myself recently just writing and writing for WAFEC 2 progressing
well beyond the point at which I should share back to the team and enlist
others to help. Christian's and Ido's contribution reminded me of that. To
that end, I cut back a lot of what I wrote and am now ready with an outline
for your review here:
http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline
I hope the outline addresses most of the issues discussed in the
conversation so far:
. None core WAF items will be in an appendix, however I did mention
the need to take them into consideration in the first chapter under "using
WAFEC".
. Security value is focused on addressing WASC-TC threats.
Protection techniques, which form the bulk of WAFEC 1 security part, are
included as well but are secondary to addressing threats.
. A chapter is devoted to "what is a WAF" which should be
educational rather than used for evaluation, but does provide the background
including use cases.
. Testing methodology, weighting, evaluation excel and alternative
solutions are all demoted to appendixes. Partially because I think they
belong there and partially to avoid delaying to get to a perfection on those
complex issues.
You can read more in the "philosophy" section on the page or inside the
attached outline document.
This is also a call for action:
. Please review and comment on the outline. Deadline for this is Nov
15th.
. Please, in parallel, select the chapter you want to work on from
the list on the page. Note that only if you own and write a section you
will be listed as contributor. Others would be listed as reviewers.
Thanks and looking forward for the hard work!
~ Ofer
Ofer Shezaf
[+972-54-4431119; ofer@shezaf.com, www.shezaf.com]
