WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsI think starting from a wholesale rewrite is a questionable approach. IMO some of the vs stuff is still valid. And not in need of a complete rebuild.
Can we instead identify sections in Vs that are in need of update vs thou that are close. And then also make a list of sections to add that weren't adequately addressed in V1.
Connected by DROID on Verizon Wireless
-----Original message-----
From: Matthieu Estrade mestrade@apache.org
To: "robert@webappsec.org" robert@webappsec.org
Cc: "wasc-wafec@lists.webappsec.org" wasc-wafec@lists.webappsec.org
Sent: Thu, Feb 10, 2011 14:46:11 GMT+00:00
Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1
Le 9 févr. 2011 à 23:58, robert@webappsec.org a écrit :
I am not so sure we should start by reviewing WAFECv1. We should let it res=
t
for a little while longer. It's much better to discuss the common WAF use
cases, and from that deduce how to formulate a criteria that would help
users determine if the products they are evaluating are suitable for the us=
e
cases they wish to pursue.
I agree. After building out these use cases then see what is and isn't in v1 and create
the new sections/update the old ones.
+1
imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications.
Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs.
Matthieu
Regards,
For the record, my impression of WAFECv1 is that it's great for the guys
like me, who are interested in how WAFs operate, but not as useful for
end-users, who just want to take care of a problem they have.
In addition, I have some questions:
On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
Thorsten.Wujek@stein-edv.de> wrote:
Hi,
Thanks to everybody for showing so much interest in evolving WAFEC v2.
Today I would like to present the first, initial step of our project. Aft=
er
that I or my brother will be able to provide a detailed schedule and goal
definition as well as how the communication will be organized.
1.) I would like to name those, who have confirmed their participation
explicitly on the WASC / WAFEC Website. If you do not want that, please l=
et
me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
2.) As stated in the first mail, there should be a review of WAFEC v1
and it would be great, if you could start with your or your customers
experiences regarding the use of WAFEC v1.
Let me be the one starting the discussion in short words:
i.) There are a lot off criteria regarding content switching,
which is irritating if you speak about WAF
ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC
criteria regarding that issue
iii.) WAFEC should give customers or consultants the ability to
judge positive or negative techniques as well as training, at the moment =
it
is just showing capabilities
iv.) The actual version is not helpful if you want to evaluate
management or administrative capabilities
These are my 5 cent
3.) Last but not least there should be an overall confirmation if the
suggested topics should be discussed in this project completely and how
these points should be prioritized.
Awaiting your comments.
Thorsten
Mit freundlichen Gr=C3=BC=C3=9Fen
STEIN-IT GmbH
Thorsten Wujek
technischer Gesch=C3=A4ftsf=C3=BChrer
technical CEO
MCT,MCA,MASE,CITA-P**
Neckarstra=C3=9Fe 4. 45768 Marl
Fon +49 23 65 . 92 44 - 31
Fax +49 23 65 . 92 44 - 44
www.stein-edv.dehttp://www.stein-edv.de
www.sony-repair.dehttp://www.sony-repair.de
Thorsten.Wujek@stein-edv.de thorsten.wujek@stein-edv.de
Ust.-Idnr.: DE 814703466
Steuer-Nr.: 359 5786 0059
Amtsgericht Gelsenkirchen, HRB 8639
Sitz und Gerichtsstand Marl
Gesch=C3=A4ftsf=C3=BChrer:
Joachim Matzek, Thorsten Wujek
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
g
--=20
Ivan Risti=C4=87
--0016e64651485dda0d049be05ecf
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I am not so sure we should start by reviewing WAFECv1. We should let it res=
t for a little while longer. It's much better to discuss the common WAF=
use cases, and from tha
I think this is the point I would like to achieve with the discussion.
From my point of view what we are doing right now is reviewing v1, maybe in an abstract way but we do. What I have extracted from your mail is that V1 is not covering todays use cases and that there are areas within v1 which are not specific enough.
But is there anything good in v1, otherwise the essence would be “forget it and start from scratch” what in my opinion will partly be like “reinventing the wheel”.
So guys keep going and please do not forget point 3.)
I will collect your opinions and provide them in a structured form.
@Ivan: there will be more DDOS attacks in the future because of HTML 5 WebWorker for more info see: http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html
~Thorsten
Von: wasc-wafec-bounces@lists.webappsec.org [mailto:wasc-wafec-bounces@lists.webappsec.org] Im Auftrag von Mark Kraynak
Gesendet: Donnerstag, 10. Februar 2011 15:54
An: Matthieu Estrade; robert@webappsec.org
Cc: wasc-wafec@lists.webappsec.org
Betreff: Re: [WASC-WAFEC] WAFEC v2 Step 1
I think starting from a wholesale rewrite is a questionable approach. IMO some of the vs stuff is still valid. And not in need of a complete rebuild.
Can we instead identify sections in Vs that are in need of update vs thou that are close. And then also make a list of sections to add that weren't adequately addressed in V1.
Connected by DROID on Verizon Wireless
-----Original message-----
From: Matthieu Estrade mestrade@apache.org
To: "robert@webappsec.org" robert@webappsec.org
Cc: "wasc-wafec@lists.webappsec.org" wasc-wafec@lists.webappsec.org
Sent: Thu, Feb 10, 2011 14:46:11 GMT+00:00
Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1
Le 9 févr. 2011 à 23:58, robert@webappsec.orgmailto:robert@webappsec.org a écrit :
I am not so sure we should start by reviewing WAFECv1. We should let it res=
t
for a little while longer. It's much better to discuss the common WAF use
cases, and from that deduce how to formulate a criteria that would help
users determine if the products they are evaluating are suitable for the us=
e
cases they wish to pursue.
I agree. After building out these use cases then see what is and isn't in v1 and create
the new sections/update the old ones.
+1
imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications.
Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs.
Matthieu
Regards,
For the record, my impression of WAFECv1 is that it's great for the guys
like me, who are interested in how WAFs operate, but not as useful for
end-users, who just want to take care of a problem they have.
In addition, I have some questions:
On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
Thorsten.Wujek@stein-edv.demailto:Thorsten.Wujek@stein-edv.de> wrote:
Hi,
Thanks to everybody for showing so much interest in evolving WAFEC v2.
Today I would like to present the first, initial step of our project. Aft=
er
that I or my brother will be able to provide a detailed schedule and goal
definition as well as how the communication will be organized.
1.) I would like to name those, who have confirmed their participation
explicitly on the WASC / WAFEC Website. If you do not want that, please l=
et
me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
2.) As stated in the first mail, there should be a review of WAFEC v1
and it would be great, if you could start with your or your customers
experiences regarding the use of WAFEC v1.
Let me be the one starting the discussion in short words:
i.) There are a lot off criteria regarding content switching,
which is irritating if you speak about WAF
ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC
criteria regarding that issue
iii.) WAFEC should give customers or consultants the ability to
judge positive or negative techniques as well as training, at the moment =
it
is just showing capabilities
iv.) The actual version is not helpful if you want to evaluate
management or administrative capabilities
These are my 5 cent
3.) Last but not least there should be an overall confirmation if the
suggested topics should be discussed in this project completely and how
these points should be prioritized.
Awaiting your comments.
Thorsten
Mit freundlichen Gr=C3=BC=C3=9Fen
STEIN-IT GmbH
Thorsten Wujek
technischer Gesch=C3=A4ftsf=C3=BChrer
technical CEO
MCT,MCA,MASE,CITA-P**
Neckarstra=C3=9Fe 4. 45768 Marl
Fon +49 23 65 . 92 44 - 31
Fax +49 23 65 . 92 44 - 44
www.stein-edv.dehttp://www.stein-edv.de
www.sony-repair.dehttp://www.sony-repair.de
Thorsten.Wujek@stein-edv.demailto:Thorsten.Wujek@stein-edv.de <thorsten.wujek@stein-edv.demailto:thorsten.wujek@stein-edv.de>
Ust.-Idnr.: DE 814703466
Steuer-Nr.: 359 5786 0059
Amtsgericht Gelsenkirchen, HRB 8639
Sitz und Gerichtsstand Marl
Gesch=C3=A4ftsf=C3=BChrer:
Joachim Matzek, Thorsten Wujek
wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
g
--=20
Ivan Risti=C4=87
--0016e64651485dda0d049be05ecf
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I am not so sure we should start by reviewing WAFECv1. We should let it res=
t for a little while longer. It's much better to discuss the common WAF=
use cases, and from tha