wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

View all threads

WAFEC Update and CFV

TT
Tony Turner
Wed, Jul 29, 2015 7:13 PM

Hello all, we are looking for volunteers for the next revision of WAFEC. I
intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
discuss next steps for the project including a revised roadmap, document
outline and specific discussion points evaluation approach. We hope to
invigorate interest in the project there, but I wanted to reach out to the
existing list first (this will remain the official mailing list for WAFEC
activities) and ask that you let me know if you have skills in any of the
following areas and have an interest in being an active participant:

  • Web App Pentesters experienced with WAF Bypasses
  • WAF Implementers
  • WAF Developers
  • WAF Vendor Liaisons
  • Metrics and standardization professionals
  • RFP writers
  • Copy edit ninjas
  • Graphics designer
  • Previous WAFEC contributors

You may see some changes in the next few weeks with regards to document
location (plan to use Google docs as a collaboration platform, we apologize
to any international contributors that cannot access, please contact me
directly if you have concerns), project pages, document structure as well
as the actual methodology for evaluation. I pretty much despise pbworks
(have lots of experience with it as the Security B-Sides community also
utilizes and I run the Orlando conference) so you may see some content
migrate to the OWASP page at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based
evaluations the same (if not expanded) but do want to address how we
evaluate a WAF control as properly mitigating and to what degree. WAF
technology has matured in the last few years and we will definitely be
updating the security mechanisms appropriately. Furthermore, other products
that are WAF-like have entered the space so we will be sure to make those
distinctions as well.

I really want to see more granularity and flexibility here for individual
consumers of WAFEC. One of the objectives here is the creation of a control
enumeration framework specific to WAF, that may eventually spawn it's own
unique project. We will also be constructing this as a modular framework
with the understanding that not all WAF use cases are the same, and
associated requirements may deviate dramatically based on design
specifications. You can view the current roadmap at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time,
please feel free to reach out to me. Thanks!

--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando

Hello all, we are looking for volunteers for the next revision of WAFEC. I intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to discuss next steps for the project including a revised roadmap, document outline and specific discussion points evaluation approach. We hope to invigorate interest in the project there, but I wanted to reach out to the existing list first (this will remain the official mailing list for WAFEC activities) and ask that you let me know if you have skills in any of the following areas and have an interest in being an active participant: - Web App Pentesters experienced with WAF Bypasses - WAF Implementers - WAF Developers - WAF Vendor Liaisons - Metrics and standardization professionals - RFP writers - Copy edit ninjas - Graphics designer - Previous WAFEC contributors You may see some changes in the next few weeks with regards to document location (plan to use Google docs as a collaboration platform, we apologize to any international contributors that cannot access, please contact me directly if you have concerns), project pages, document structure as well as the actual methodology for evaluation. I pretty much despise pbworks (have lots of experience with it as the Security B-Sides community also utilizes and I run the Orlando conference) so you may see some content migrate to the OWASP page at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project but I will try to mirror or link as appropriate. Currently I intend to keep the WASC-TC driven classification based evaluations the same (if not expanded) but do want to address how we evaluate a WAF control as properly mitigating and to what degree. WAF technology has matured in the last few years and we will definitely be updating the security mechanisms appropriately. Furthermore, other products that are WAF-like have entered the space so we will be sure to make those distinctions as well. I really want to see more granularity and flexibility here for individual consumers of WAFEC. One of the objectives here is the creation of a control enumeration framework specific to WAF, that may eventually spawn it's own unique project. We will also be constructing this as a modular framework with the understanding that not all WAF use cases are the same, and associated requirements may deviate dramatically based on design specifications. You can view the current roadmap at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap but I would expect this to be further refined after the September workshop. If you have further concerns, suggestions or wish to volunteer your time, please feel free to reach out to me. Thanks! -- Tony Turner OWASP Orlando Chapter Founder/Co-Leader WAFEC Project Leader STING Game Project Leader tony.turner@owasp.org https://www.owasp.org/index.php/Orlando
CH
Christian Heinrich
Thu, Jul 30, 2015 12:38 AM

Tony,

As some of us won't be attending AppSecUSA, can we discuss this proposal
next Thursday (6 August) which according to
https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0
we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies
received for
http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner tony.turner@owasp.org wrote:

Hello all, we are looking for volunteers for the next revision of WAFEC. I
intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
discuss next steps for the project including a revised roadmap, document
outline and specific discussion points evaluation approach. We hope to
invigorate interest in the project there, but I wanted to reach out to the
existing list first (this will remain the official mailing list for WAFEC
activities) and ask that you let me know if you have skills in any of the
following areas and have an interest in being an active participant:

- Web App Pentesters experienced with WAF Bypasses
- WAF Implementers
- WAF Developers
- WAF Vendor Liaisons
- Metrics and standardization professionals
- RFP writers
- Copy edit ninjas
- Graphics designer
- Previous WAFEC contributors

You may see some changes in the next few weeks with regards to document
location (plan to use Google docs as a collaboration platform, we apologize
to any international contributors that cannot access, please contact me
directly if you have concerns), project pages, document structure as well
as the actual methodology for evaluation. I pretty much despise pbworks
(have lots of experience with it as the Security B-Sides community also
utilizes and I run the Orlando conference) so you may see some content
migrate to the OWASP page at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based
evaluations the same (if not expanded) but do want to address how we
evaluate a WAF control as properly mitigating and to what degree. WAF
technology has matured in the last few years and we will definitely be
updating the security mechanisms appropriately. Furthermore, other products
that are WAF-like have entered the space so we will be sure to make those
distinctions as well.

I really want to see more granularity and flexibility here for individual
consumers of WAFEC. One of the objectives here is the creation of a control
enumeration framework specific to WAF, that may eventually spawn it's own
unique project. We will also be constructing this as a modular framework
with the understanding that not all WAF use cases are the same, and
associated requirements may deviate dramatically based on design
specifications. You can view the current roadmap at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time,
please feel free to reach out to me. Thanks!

--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando


wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Tony, As some of us won't be attending AppSecUSA, can we discuss this proposal next Thursday (6 August) which according to https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0 we can meet at the booth? In the interim, can you keep this mailing list informed of any replies received for http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please? On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner@owasp.org> wrote: > Hello all, we are looking for volunteers for the next revision of WAFEC. I > intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to > discuss next steps for the project including a revised roadmap, document > outline and specific discussion points evaluation approach. We hope to > invigorate interest in the project there, but I wanted to reach out to the > existing list first (this will remain the official mailing list for WAFEC > activities) and ask that you let me know if you have skills in any of the > following areas and have an interest in being an active participant: > > - Web App Pentesters experienced with WAF Bypasses > - WAF Implementers > - WAF Developers > - WAF Vendor Liaisons > - Metrics and standardization professionals > - RFP writers > - Copy edit ninjas > - Graphics designer > - Previous WAFEC contributors > > You may see some changes in the next few weeks with regards to document > location (plan to use Google docs as a collaboration platform, we apologize > to any international contributors that cannot access, please contact me > directly if you have concerns), project pages, document structure as well > as the actual methodology for evaluation. I pretty much despise pbworks > (have lots of experience with it as the Security B-Sides community also > utilizes and I run the Orlando conference) so you may see some content > migrate to the OWASP page at > https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project > but I will try to mirror or link as appropriate. > > Currently I intend to keep the WASC-TC driven classification based > evaluations the same (if not expanded) but do want to address how we > evaluate a WAF control as properly mitigating and to what degree. WAF > technology has matured in the last few years and we will definitely be > updating the security mechanisms appropriately. Furthermore, other products > that are WAF-like have entered the space so we will be sure to make those > distinctions as well. > > I really want to see more granularity and flexibility here for individual > consumers of WAFEC. One of the objectives here is the creation of a control > enumeration framework specific to WAF, that may eventually spawn it's own > unique project. We will also be constructing this as a modular framework > with the understanding that not all WAF use cases are the same, and > associated requirements may deviate dramatically based on design > specifications. You can view the current roadmap at > https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap > but I would expect this to be further refined after the September workshop. > > If you have further concerns, suggestions or wish to volunteer your time, > please feel free to reach out to me. Thanks! > > -- > Tony Turner > OWASP Orlando Chapter Founder/Co-Leader > WAFEC Project Leader > STING Game Project Leader > tony.turner@owasp.org > https://www.owasp.org/index.php/Orlando > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > -- Regards, Christian Heinrich http://cmlh.id.au/contact
TT
Tony Turner
Thu, Jul 30, 2015 2:04 AM

Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and
we can discuss the project. So far I have not received any responses on
that other thread other than direct replies of encouragement, but no
relevant or useful dialogue. I'll update the group if that changes as it's
very relevant for planned future WAFEC activities. Thanks.

-Tony Turner
Tony,

As some of us won't be attending AppSecUSA, can we discuss this proposal
next Thursday (6 August) which according to
https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0
we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies
received for
http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner tony.turner@owasp.org wrote:

Hello all, we are looking for volunteers for the next revision of WAFEC. I
intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to
discuss next steps for the project including a revised roadmap, document
outline and specific discussion points evaluation approach. We hope to
invigorate interest in the project there, but I wanted to reach out to the
existing list first (this will remain the official mailing list for WAFEC
activities) and ask that you let me know if you have skills in any of the
following areas and have an interest in being an active participant:

- Web App Pentesters experienced with WAF Bypasses
- WAF Implementers
- WAF Developers
- WAF Vendor Liaisons
- Metrics and standardization professionals
- RFP writers
- Copy edit ninjas
- Graphics designer
- Previous WAFEC contributors

You may see some changes in the next few weeks with regards to document
location (plan to use Google docs as a collaboration platform, we apologize
to any international contributors that cannot access, please contact me
directly if you have concerns), project pages, document structure as well
as the actual methodology for evaluation. I pretty much despise pbworks
(have lots of experience with it as the Security B-Sides community also
utilizes and I run the Orlando conference) so you may see some content
migrate to the OWASP page at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based
evaluations the same (if not expanded) but do want to address how we
evaluate a WAF control as properly mitigating and to what degree. WAF
technology has matured in the last few years and we will definitely be
updating the security mechanisms appropriately. Furthermore, other products
that are WAF-like have entered the space so we will be sure to make those
distinctions as well.

I really want to see more granularity and flexibility here for individual
consumers of WAFEC. One of the objectives here is the creation of a control
enumeration framework specific to WAF, that may eventually spawn it's own
unique project. We will also be constructing this as a modular framework
with the understanding that not all WAF use cases are the same, and
associated requirements may deviate dramatically based on design
specifications. You can view the current roadmap at
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap
but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time,
please feel free to reach out to me. Thanks!

--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando


wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and we can discuss the project. So far I have not received any responses on that other thread other than direct replies of encouragement, but no relevant or useful dialogue. I'll update the group if that changes as it's very relevant for planned future WAFEC activities. Thanks. -Tony Turner Tony, As some of us won't be attending AppSecUSA, can we discuss this proposal next Thursday (6 August) which according to https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0 we can meet at the booth? In the interim, can you keep this mailing list informed of any replies received for http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please? On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner@owasp.org> wrote: > Hello all, we are looking for volunteers for the next revision of WAFEC. I > intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to > discuss next steps for the project including a revised roadmap, document > outline and specific discussion points evaluation approach. We hope to > invigorate interest in the project there, but I wanted to reach out to the > existing list first (this will remain the official mailing list for WAFEC > activities) and ask that you let me know if you have skills in any of the > following areas and have an interest in being an active participant: > > - Web App Pentesters experienced with WAF Bypasses > - WAF Implementers > - WAF Developers > - WAF Vendor Liaisons > - Metrics and standardization professionals > - RFP writers > - Copy edit ninjas > - Graphics designer > - Previous WAFEC contributors > > You may see some changes in the next few weeks with regards to document > location (plan to use Google docs as a collaboration platform, we apologize > to any international contributors that cannot access, please contact me > directly if you have concerns), project pages, document structure as well > as the actual methodology for evaluation. I pretty much despise pbworks > (have lots of experience with it as the Security B-Sides community also > utilizes and I run the Orlando conference) so you may see some content > migrate to the OWASP page at > https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project > but I will try to mirror or link as appropriate. > > Currently I intend to keep the WASC-TC driven classification based > evaluations the same (if not expanded) but do want to address how we > evaluate a WAF control as properly mitigating and to what degree. WAF > technology has matured in the last few years and we will definitely be > updating the security mechanisms appropriately. Furthermore, other products > that are WAF-like have entered the space so we will be sure to make those > distinctions as well. > > I really want to see more granularity and flexibility here for individual > consumers of WAFEC. One of the objectives here is the creation of a control > enumeration framework specific to WAF, that may eventually spawn it's own > unique project. We will also be constructing this as a modular framework > with the understanding that not all WAF use cases are the same, and > associated requirements may deviate dramatically based on design > specifications. You can view the current roadmap at > https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap > but I would expect this to be further refined after the September workshop. > > If you have further concerns, suggestions or wish to volunteer your time, > please feel free to reach out to me. Thanks! > > -- > Tony Turner > OWASP Orlando Chapter Founder/Co-Leader > WAFEC Project Leader > STING Game Project Leader > tony.turner@owasp.org > https://www.owasp.org/index.php/Orlando > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > -- Regards, Christian Heinrich http://cmlh.id.au/contact
MK
Mark Kraynak
Wed, Aug 5, 2015 7:02 PM

I’m not going to be at Black Hat or AppSecUSA, (which probably robs me of any street cred, but in my defense, I’ve got a child on the way very soon and need to stay in town for a while once she’s born).

I’m very encouraged to see this moving ahead.  I’d like to offer mine and Imperva’s help in whatever way seems apropriate.  In the past, I’ve been a contributor to WAFEC and written some of the sections of v1 as well as drafts for the v2 which never seemed to get off the ground. A few others at Imperva have done the same.  However, I think the sentiment on this thread (which I agree with) is that this should be led by end-users.  So it may mean the most apropos way to do this would be for me / others to review and provide commentary.

Also, somewhere along the way, there was a discussion of how to create an effective testing/benchmarking regime for WAFEC.  As it happens this is a subject near and dear to a few people here at Imperva.  We found ourselves struggling to show customers that testing for false negatives only (which is the default for many security testers) was really not enough to evaluate a WAF.  So we created a testing tool that allows a tester to test both false positives and false negatives.  This is software we wrote and released as a free tool, I’m very proud of the name which is the WAF Testing Framework or WTF for short.  It comes with a test suite that goes against WebGoat (not written by us), but the test suite can be fully customized with relatively easy scripting.  My intention all along for this tool was to find a home outside of Imperva for it so that the community could create a test suite that could rise above the hint of vendor influence.  If this group would be interested in taking a look and evaluating whether it could be the basis for a WAFEC testing tool, I’d be happy to contribute it and open source the underlying code.

Anyone that’s interested can download the tool here: https://www.imperva.com/lg/lgw.asp?pid=483 (Note: it requires a registration, but if you contact me directly I can have it sent to you without the lead gen hassle)

From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Tony Turner
Sent: Wednesday, July 29, 2015 7:04 PM
To: Christian Heinrich
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] WAFEC Update and CFV

Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and we can discuss the project. So far I have not received any responses on that other thread other than direct replies of encouragement, but no relevant or useful dialogue. I'll update the group if that changes as it's very relevant for planned future WAFEC activities. Thanks.

-Tony Turner
Tony,

As some of us won't be attending AppSecUSA, can we discuss this proposal next Thursday (6 August) which according to https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0 we can meet at the booth?

In the interim, can you keep this mailing list informed of any replies received for http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please?

On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner@owasp.orgmailto:tony.turner@owasp.org> wrote:
Hello all, we are looking for volunteers for the next revision of WAFEC. I intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to discuss next steps for the project including a revised roadmap, document outline and specific discussion points evaluation approach. We hope to invigorate interest in the project there, but I wanted to reach out to the existing list first (this will remain the official mailing list for WAFEC activities) and ask that you let me know if you have skills in any of the following areas and have an interest in being an active participant:

  • Web App Pentesters experienced with WAF Bypasses
  • WAF Implementers
  • WAF Developers
  • WAF Vendor Liaisons
  • Metrics and standardization professionals
  • RFP writers
  • Copy edit ninjas
  • Graphics designer
  • Previous WAFEC contributors
    You may see some changes in the next few weeks with regards to document location (plan to use Google docs as a collaboration platform, we apologize to any international contributors that cannot access, please contact me directly if you have concerns), project pages, document structure as well as the actual methodology for evaluation. I pretty much despise pbworks (have lots of experience with it as the Security B-Sides community also utilizes and I run the Orlando conference) so you may see some content migrate to the OWASP page at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project but I will try to mirror or link as appropriate.

Currently I intend to keep the WASC-TC driven classification based evaluations the same (if not expanded) but do want to address how we evaluate a WAF control as properly mitigating and to what degree. WAF technology has matured in the last few years and we will definitely be updating the security mechanisms appropriately. Furthermore, other products that are WAF-like have entered the space so we will be sure to make those distinctions as well.

I really want to see more granularity and flexibility here for individual consumers of WAFEC. One of the objectives here is the creation of a control enumeration framework specific to WAF, that may eventually spawn it's own unique project. We will also be constructing this as a modular framework with the understanding that not all WAF use cases are the same, and associated requirements may deviate dramatically based on design specifications. You can view the current roadmap at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap but I would expect this to be further refined after the September workshop.

If you have further concerns, suggestions or wish to volunteer your time, please feel free to reach out to me. Thanks!

--
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner@owasp.orgmailto:tony.turner@owasp.org
https://www.owasp.org/index.php/Orlando


wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

I’m not going to be at Black Hat or AppSecUSA, (which probably robs me of any street cred, but in my defense, I’ve got a child on the way very soon and need to stay in town for a while once she’s born). I’m very encouraged to see this moving ahead. I’d like to offer mine and Imperva’s help in whatever way seems apropriate. In the past, I’ve been a contributor to WAFEC and written some of the sections of v1 as well as drafts for the v2 which never seemed to get off the ground. A few others at Imperva have done the same. However, I think the sentiment on this thread (which I agree with) is that this should be led by end-users. So it may mean the most apropos way to do this would be for me / others to review and provide commentary. Also, somewhere along the way, there was a discussion of how to create an effective testing/benchmarking regime for WAFEC. As it happens this is a subject near and dear to a few people here at Imperva. We found ourselves struggling to show customers that testing for false negatives only (which is the default for many security testers) was really not enough to evaluate a WAF. So we created a testing tool that allows a tester to test both false positives and false negatives. This is software we wrote and released as a free tool, I’m very proud of the name which is the WAF Testing Framework or WTF for short. It comes with a test suite that goes against WebGoat (not written by us), but the test suite can be fully customized with relatively easy scripting. My intention all along for this tool was to find a home outside of Imperva for it so that the community could create a test suite that could rise above the hint of vendor influence. If this group would be interested in taking a look and evaluating whether it could be the basis for a WAFEC testing tool, I’d be happy to contribute it and open source the underlying code. Anyone that’s interested can download the tool here: https://www.imperva.com/lg/lgw.asp?pid=483 (Note: it requires a registration, but if you contact me directly I can have it sent to you without the lead gen hassle) From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Tony Turner Sent: Wednesday, July 29, 2015 7:04 PM To: Christian Heinrich Cc: wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] WAFEC Update and CFV Definitely Christian. Feel free to stop by the OWASP booth at Black Hat and we can discuss the project. So far I have not received any responses on that other thread other than direct replies of encouragement, but no relevant or useful dialogue. I'll update the group if that changes as it's very relevant for planned future WAFEC activities. Thanks. -Tony Turner Tony, As some of us won't be attending AppSecUSA, can we discuss this proposal next Thursday (6 August) which according to https://docs.google.com/spreadsheets/d/1O0wsM1prhoBQqKkAa1s1GBloALENIHkREys_PeswKbA/edit#gid=0 we can meet at the booth? In the interim, can you keep this mailing list informed of any replies received for http://lists.owasp.org/pipermail/owasp-leaders/2015-July/014670.html please? On Thu, Jul 30, 2015 at 5:13 AM, Tony Turner <tony.turner@owasp.org<mailto:tony.turner@owasp.org>> wrote: Hello all, we are looking for volunteers for the next revision of WAFEC. I intend to hold a WAFEC workshop at AppSecUSA on Wednesday September 23rd to discuss next steps for the project including a revised roadmap, document outline and specific discussion points evaluation approach. We hope to invigorate interest in the project there, but I wanted to reach out to the existing list first (this will remain the official mailing list for WAFEC activities) and ask that you let me know if you have skills in any of the following areas and have an interest in being an active participant: * Web App Pentesters experienced with WAF Bypasses * WAF Implementers * WAF Developers * WAF Vendor Liaisons * Metrics and standardization professionals * RFP writers * Copy edit ninjas * Graphics designer * Previous WAFEC contributors You may see some changes in the next few weeks with regards to document location (plan to use Google docs as a collaboration platform, we apologize to any international contributors that cannot access, please contact me directly if you have concerns), project pages, document structure as well as the actual methodology for evaluation. I pretty much despise pbworks (have lots of experience with it as the Security B-Sides community also utilizes and I run the Orlando conference) so you may see some content migrate to the OWASP page at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project but I will try to mirror or link as appropriate. Currently I intend to keep the WASC-TC driven classification based evaluations the same (if not expanded) but do want to address how we evaluate a WAF control as properly mitigating and to what degree. WAF technology has matured in the last few years and we will definitely be updating the security mechanisms appropriately. Furthermore, other products that are WAF-like have entered the space so we will be sure to make those distinctions as well. I really want to see more granularity and flexibility here for individual consumers of WAFEC. One of the objectives here is the creation of a control enumeration framework specific to WAF, that may eventually spawn it's own unique project. We will also be constructing this as a modular framework with the understanding that not all WAF use cases are the same, and associated requirements may deviate dramatically based on design specifications. You can view the current roadmap at https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap but I would expect this to be further refined after the September workshop. If you have further concerns, suggestions or wish to volunteer your time, please feel free to reach out to me. Thanks! -- Tony Turner OWASP Orlando Chapter Founder/Co-Leader WAFEC Project Leader STING Game Project Leader tony.turner@owasp.org<mailto:tony.turner@owasp.org> https://www.owasp.org/index.php/Orlando _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org<mailto:wasc-wafec@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org -- Regards, Christian Heinrich http://cmlh.id.au/contact