Ken, My recommendation would be to produce a high level draft of customer requirements of items that complement a WAF and then have this endorsed by end user(s) for inclusion or; as a supplement to WAFEC. On Wed, Jun 20, 2012 at 3:08 AM, Kenneth Salchow <k.salchow@f5.com> wrote: > I'm not sure what you are asking for Christian ... are you looking for customer references that state that customers have other solutions (SSO, SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF?  I kind of thought that we could all agree that customers weren't installing WAF devices all by themselves; that would be kind of simplistic if you ask me. > > Further, yes, I do think we should mention all the regional certifications related to power consumption or other implementation issues.  As a customer (and while I'm not one now ... I was one once) those are ALL important things to me.  Why would I bother to investigate a solution that I would not be able to actually deploy because it doesn't meet the requirements of my environment? > > However, if everyone thinks it is of no value to customers to know this kind of information ... then that's fine by me.  I just personally think you are doing a disservice to the end customer to simply dismiss these items.  Today's networks are far too complex to simply ignore how devices interact with each other. -- Regards, Christian Heinrich http://cmlh.id.au/contact

Sounds like a reasonable, well-founded plan. KJ (Ken) Salchow, Jr. | Program Manager, Technical Certification D 651.423.1133 M 612.868.1258 P 206.272.5555 F 206.272.5555 www.f5.com -----Original Message----- From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au] Sent: Tuesday, June 19, 2012 4:52 PM To: Kenneth Salchow Cc: Alexander Meisel; wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0? Ken, My recommendation would be to produce a high level draft of customer requirements of items that complement a WAF and then have this endorsed by end user(s) for inclusion or; as a supplement to WAFEC. On Wed, Jun 20, 2012 at 3:08 AM, Kenneth Salchow <k.salchow@f5.com> wrote: > I'm not sure what you are asking for Christian ... are you looking for customer references that state that customers have other solutions (SSO, SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF?  I kind of thought that we could all agree that customers weren't installing WAF devices all by themselves; that would be kind of simplistic if you ask me. > > Further, yes, I do think we should mention all the regional certifications related to power consumption or other implementation issues.  As a customer (and while I'm not one now ... I was one once) those are ALL important things to me.  Why would I bother to investigate a solution that I would not be able to actually deploy because it doesn't meet the requirements of my environment? > > However, if everyone thinks it is of no value to customers to know this kind of information ... then that's fine by me.  I just personally think you are doing a disservice to the end customer to simply dismiss these items.  Today's networks are far too complex to simply ignore how devices interact with each other. -- Regards, Christian Heinrich http://cmlh.id.au/contact

Ofer, I found two relevant slides from WhiteHat’s 12th Website Security Statistics Report: 1. http://www.slideshare.net/jeremiahgrossman/stat-swebinar062712/11 i.e. Mitigation of vulnerabilities (based on WASC Threat Matrix) in implementing a WAF (this might be expanded in their report which should be released today (Friday 29 June). 2. http://www.slideshare.net/jeremiahgrossman/stat-swebinar062712/15 i.e. Time that passes to identify and then remediate vulnerabilities within the Source Code. To avoid a conflict of interest we should invite others to provide relevant statistics related to real world implementations of a WAF and the time taken to fix a vulnerability in source code and then calculate an average? On Sun, Jun 10, 2012 at 11:17 AM, Christian Heinrich <christian.heinrich@cmlh.id.au> wrote: > Ofer, > > On Wed, Jun 6, 2012 at 9:39 PM, Ofer Shezaf <ofer@shezaf.com> wrote: >> 5.       The “ethical” questions: >> >> ·         How to address alternative solutions such as fixing the code? > > I am also willing to review and confirm that any perceived conflict of > interest was removed from this section with consideration to > http://blog.modsecurity.org/2010/10/modsecurity-user-survey-results-released.html -- Regards, Christian Heinrich http://cmlh.id.au/contact

Kenneth, I am an end user at the moment and have been informed that it is possible to repurpose some F5 load balancers as a WAF by our network service provider. I am therefore interested in participating (for science) in the proposal discussed back in June. Would it be possible directly send me any F5 literature that is relevant to WAFEC? On Tue, Jun 26, 2012 at 6:46 AM, Kenneth Salchow <k.salchow@f5.com> wrote: > Sounds like a reasonable, well-founded plan. > > KJ (Ken) Salchow, Jr. | Program Manager, Technical Certification > D 651.423.1133 > M 612.868.1258 > P 206.272.5555 > F 206.272.5555 > www.f5.com > > > > -----Original Message----- > From: Christian Heinrich [mailto:christian.heinrich@cmlh.id.au] > Sent: Tuesday, June 19, 2012 4:52 PM > To: Kenneth Salchow > Cc: Alexander Meisel; wasc-wafec@lists.webappsec.org > Subject: Re: [WASC-WAFEC] What should we change in WAFEC 2.0? > > Ken, > > My recommendation would be to produce a high level draft of customer requirements of items that complement a WAF and then have this endorsed by end user(s) for inclusion or; as a supplement to WAFEC. > > On Wed, Jun 20, 2012 at 3:08 AM, Kenneth Salchow <k.salchow@f5.com> wrote: >> I'm not sure what you are asking for Christian ... are you looking for customer references that state that customers have other solutions (SSO, SSL-VPN, UTM, Firewall, etc) that they will be deploying alongside WAF? I kind of thought that we could all agree that customers weren't installing WAF devices all by themselves; that would be kind of simplistic if you ask me. >> >> Further, yes, I do think we should mention all the regional certifications related to power consumption or other implementation issues. As a customer (and while I'm not one now ... I was one once) those are ALL important things to me. Why would I bother to investigate a solution that I would not be able to actually deploy because it doesn't meet the requirements of my environment? >> >> However, if everyone thinks it is of no value to customers to know this kind of information ... then that's fine by me. I just personally think you are doing a disservice to the end customer to simply dismiss these items. Today's networks are far too complex to simply ignore how devices interact with each other. -- Regards, Christian Heinrich http://cmlh.id.au/contact