WAF are measured in http://www.sans.org/critical-security-controls/control.php?id=6, specifically: "... Control 6 Sensors, Measurement, and Scoring Sensor: Web Application Firewall (WAF) Measurement: Verify that WAF is installed between applications and users. Products such as F5 Application Security Manager, ModSecurity, Art of Defence Hyperguard, and Trustwave WebDefend are recommended. Score: Automated tool/process verifies: WAF is installed and functioning: 50 points. WAF configuration covers OWASP top 10: 20 points. WAF configuration defends against top 25 programming errors: 30 points. Sensor: Web application firewall Measurement: Central logging tool shows evidence that logs are being collected from WAF. Score: Automated tool/process periodically verifies that WAF is generating logs into the security event manager or similar: 100 points. Failure to identify log entries = 0. ..." Aside from the signficant overlap between the https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and http://cwe.mitre.org/top25/ of their first measurement, I believe we should reference "SANS CSIS 20 Critical Security Controls" in WAFEC? It might also be possible to alter their measurement considering their period to comment on the next release v4 is 15th October, 2012. -- Regards, Christian Heinrich http://cmlh.id.au/contact