Empathy List Archives

wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

WAFEC 2.0 Comments on Supporting Functionality

Paul Scott

Tue, Jan 15, 2013 7:06 AM

WAFEC contributors,

I'd like to start by saying great work. I have some feedback on the
supporting functionality section that is published on the wiki. Please
forgive me if I have misunderstood the purpose of a specific section.

Regarding 5.1.2.A, I think the story of central management is becoming
increasingly relevant. The evaluation would benefit from expanding on this.
In addition to central viewing/searching of events and central policy
management (templates, mirroring, tuning), we will need features like
central config management (backup, restore), logging, correlation, and
alerting.

I haven't seen reporting mentioned. Would it be relevant to mention it in
5.1.2.C?

5.2.C, Is the automated backup to a central location? can the backed up
configuration also be restored?

Regarding the 5.2.D, When you speak about a system restart what system are
you referring to? This could be an appliance or an application. I think the
spirit of this is to find out what configuration changes can cause a
protected site to become unavailable. Is that accurate? Maybe this section
should refocus on this impact.

5.2.E, config synchronization between appliances or instances is an
important capability even if centralized configuration management is
available.
*
*5.4.1.B, I think Audit Logging, evaluation criteria should favor remote
logging or central logging when we're talking about where to store logs.
Also, supporting a feature to mask sensitive data within event logs is a
nice to prevent you from falling out of compliance by storing clear text
CC#s in the logs.

5.4.1.C, Does Enterprise Directory Integration fit the spirit of Secure
Mangement section? I know there was some discussion about the relevance of
single sign on. This seems similar.**

Please consider this feedback,

P.Scott

WAFEC contributors, I'd like to start by saying great work. I have some feedback on the supporting functionality section that is published on the wiki. Please forgive me if I have misunderstood the purpose of a specific section. Regarding 5.1.2.A, I think the story of central management is becoming increasingly relevant. The evaluation would benefit from expanding on this. In addition to central viewing/searching of events and central policy management (templates, mirroring, tuning), we will need features like central config management (backup, restore), logging, correlation, and alerting. I haven't seen reporting mentioned. Would it be relevant to mention it in 5.1.2.C? 5.2.C, Is the automated backup to a central location? can the backed up configuration also be restored? Regarding the 5.2.D, When you speak about a system restart what system are you referring to? This could be an appliance or an application. I think the spirit of this is to find out what configuration changes can cause a protected site to become unavailable. Is that accurate? Maybe this section should refocus on this impact. 5.2.E, config synchronization between appliances or instances is an important capability even if centralized configuration management is available. * *5.4.1.B, I think Audit Logging, evaluation criteria should favor remote logging or central logging when we're talking about where to store logs. Also, supporting a feature to mask sensitive data within event logs is a nice to prevent you from falling out of compliance by storing clear text CC#s in the logs. 5.4.1.C, Does Enterprise Directory Integration fit the spirit of Secure Mangement section? I know there was some discussion about the relevance of single sign on. This seems similar.** Please consider this feedback, P.Scott

Ofer Shezaf

Sun, Feb 24, 2013 10:13 PM

Hi Paul and sorry for the huge delay in going over your comments. Very very
good feedback! thanks. I also need to confess that finally having none
vendor feedback is refreshing

See below. When I wrote "added" or "modified" I meant when next I will
publish a version, hopefully shortly.

~ Ofer

From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf
Of Paul Scott
Sent: Monday, January 14, 2013 11:06 PM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality

WAFEC contributors,

[Ofer] Added all apart from:

    correlations which I think is part a potential security technique.

I am not sure we even call the same thing correlations across the board.

    Backup/restore - part of central policy and configuration

management

That said, I feel that the list is getting too long effectively duplicating
all other "management features" and I consider restructuring for every
criteria to have a "central management" sub question.

I haven't seen reporting mentioned. Would it be relevant to mention it in
5.1.2.C?

[Ofer] Added

5.2.C, Is the automated backup to a central location? can the backed up
configuration also be restored?

[Ofer] Added restore. The central management issue as you noted deserves a
bigger change.

[Ofer] Agreed, though it requires also asking not only if it takes down the
application, but also protection.

5.2.E, config synchronization between appliances or instances is an
important capability even if centralized configuration management is
available.

[Ofer] Added. I am not sure if this is the right location or alongside
central management, but went with you suggestion.

5.4.1.B, I think Audit Logging, evaluation criteria should favor remote
logging or central logging when we're talking about where to store logs.
Also, supporting a feature to mask sensitive data within event logs is a
nice to prevent you from falling out of compliance by storing clear text
CC#s in the logs.

[Ofer] I added audit logging to central management. As said, I might reverse
this and add central management to this criteria. As for masking: it is
included in 5.3F however the challenge here is that it is a very easy to
abuse critieria - so hard to really do it. I am open to suggestions as to
how to make it into a viable criteria.

5.4.1.C, Does Enterprise Directory Integration fit the spirit of Secure
Mangement section? I know there was some discussion about the relevance of
single sign on. This seems similar.

[Ofer] Enterprise Directory integration is for the WAF own admin users. SSO
is a feature that may (or may not) be provided by a WAF for web users.

Please consider this feedback,

P.Scott

Hi Paul and sorry for the huge delay in going over your comments. Very very good feedback! thanks. I also need to confess that finally having none vendor feedback is refreshing See below. When I wrote "added" or "modified" I meant when next I will publish a version, hopefully shortly. ~ Ofer From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Paul Scott Sent: Monday, January 14, 2013 11:06 PM To: wasc-wafec@lists.webappsec.org Subject: [WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality WAFEC contributors, I'd like to start by saying great work. I have some feedback on the supporting functionality section that is published on the wiki. Please forgive me if I have misunderstood the purpose of a specific section. Regarding 5.1.2.A, I think the story of central management is becoming increasingly relevant. The evaluation would benefit from expanding on this. In addition to central viewing/searching of events and central policy management (templates, mirroring, tuning), we will need features like central config management (backup, restore), logging, correlation, and alerting. [Ofer] Added all apart from: * correlations which I think is part a potential security technique. I am not sure we even call the same thing correlations across the board. * Backup/restore - part of central policy and configuration management That said, I feel that the list is getting too long effectively duplicating all other "management features" and I consider restructuring for every criteria to have a "central management" sub question. I haven't seen reporting mentioned. Would it be relevant to mention it in 5.1.2.C? [Ofer] Added 5.2.C, Is the automated backup to a central location? can the backed up configuration also be restored? [Ofer] Added restore. The central management issue as you noted deserves a bigger change. Regarding the 5.2.D, When you speak about a system restart what system are you referring to? This could be an appliance or an application. I think the spirit of this is to find out what configuration changes can cause a protected site to become unavailable. Is that accurate? Maybe this section should refocus on this impact. [Ofer] Agreed, though it requires also asking not only if it takes down the application, but also protection. 5.2.E, config synchronization between appliances or instances is an important capability even if centralized configuration management is available. [Ofer] Added. I am not sure if this is the right location or alongside central management, but went with you suggestion. 5.4.1.B, I think Audit Logging, evaluation criteria should favor remote logging or central logging when we're talking about where to store logs. Also, supporting a feature to mask sensitive data within event logs is a nice to prevent you from falling out of compliance by storing clear text CC#s in the logs. [Ofer] I added audit logging to central management. As said, I might reverse this and add central management to this criteria. As for masking: it is included in 5.3F however the challenge here is that it is a very easy to abuse critieria - so hard to really do it. I am open to suggestions as to how to make it into a viable criteria. 5.4.1.C, Does Enterprise Directory Integration fit the spirit of Secure Mangement section? I know there was some discussion about the relevance of single sign on. This seems similar. [Ofer] Enterprise Directory integration is for the WAF own admin users. SSO is a feature that may (or may not) be provided by a WAF for web users. Please consider this feedback, P.Scott