Hi, Thanks to everybody for showing so much interest in evolving WAFEC v2. Today I would like to present the first, initial step of our project. After that I or my brother will be able to provide a detailed schedule and goal definition as well as how the communication will be organized. 1.) I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK". 2.) As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1. Let me be the one starting the discussion in short words: i.) There are a lot off criteria regarding content switching, which is irritating if you speak about WAF ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue iii.) WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities iv.) The actual version is not helpful if you want to evaluate management or administrative capabilities These are my 5 cent 3.) Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized. Awaiting your comments. Thorsten Mit freundlichen Grüßen STEIN-IT GmbH Thorsten Wujek technischer Geschäftsführer technical CEO MCT,MCA,MASE,CITA-P Neckarstraße 4. 45768 Marl Fon +49 23 65 . 92 44 - 31 Fax +49 23 65 . 92 44 - 44 www.stein-edv.de<http://www.stein-edv.de/> www.sony-repair.de<http://www.sony-repair.de/> Thorsten.Wujek@stein-edv.de<mailto:thorsten.wujek@stein-edv.de> Ust.-Idnr.: DE 814703466 Steuer-Nr.: 359 5786 0059 Amtsgericht Gelsenkirchen, HRB 8639 Sitz und Gerichtsstand Marl Geschäftsführer: Joachim Matzek, Thorsten Wujek

I am not so sure we should start by reviewing WAFECv1. We should let it rest for a little while longer. It's much better to discuss the common WAF use cases, and from that deduce how to formulate a criteria that would help users determine if the products they are evaluating are suitable for the use cases they wish to pursue. For the record, my impression of WAFECv1 is that it's great for the guys like me, who are interested in how WAFs operate, but not as useful for end-users, who just want to take care of a problem they have. In addition, I have some questions: - What is content switching - What DoS aspects of HTML5? On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] < Thorsten.Wujek@stein-edv.de> wrote: > Hi, > > > > Thanks to everybody for showing so much interest in evolving WAFEC v2. > > > > Today I would like to present the first, initial step of our project. After > that I or my brother will be able to provide a detailed schedule and goal > definition as well as how the communication will be organized. > > > > 1.) I would like to name those, who have confirmed their participation > explicitly on the WASC / WAFEC Website. If you do not want that, please let > me know, otherwise I take silence as an “OK”. > > 2.) As stated in the first mail, there should be a review of WAFEC v1 > and it would be great, if you could start with your or your customers > experiences regarding the use of WAFEC v1. > Let me be the one starting the discussion in short words: > > i.) There are a lot off criteria regarding content switching, > which is irritating if you speak about WAF > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC > criteria regarding that issue > iii.) WAFEC should give customers or consultants the ability to > judge positive or negative techniques as well as training, at the moment it > is just showing capabilities > > iv.) The actual version is not helpful if you want to evaluate > management or administrative capabilities > > > > These are my 5 cent > > 3.) Last but not least there should be an overall confirmation if the > suggested topics should be discussed in this project completely and how > these points should be prioritized. > > > > Awaiting your comments. > > > > Thorsten > > > > > Mit freundlichen Grüßen > STEIN-IT GmbH > Thorsten Wujek > technischer Geschäftsführer > technical CEO > > *MCT,MCA,MASE,CITA-P*** > > > > > Neckarstraße 4. 45768 Marl > Fon +49 23 65 . 92 44 - 31 > Fax +49 23 65 . 92 44 - 44 > > www.stein-edv.de > www.sony-repair.de > Thorsten.Wujek@stein-edv.de <thorsten.wujek@stein-edv.de> > > > > > Ust.-Idnr.: DE 814703466 > Steuer-Nr.: 359 5786 0059 > > Amtsgericht Gelsenkirchen, HRB 8639 > Sitz und Gerichtsstand Marl > > Geschäftsführer: > Joachim Matzek, Thorsten Wujek > > > > > > > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > -- Ivan Ristić

> I am not so sure we should start by reviewing WAFECv1. We should let it res= > t > for a little while longer. It's much better to discuss the common WAF use > cases, and from that deduce how to formulate a criteria that would help > users determine if the products they are evaluating are suitable for the us= > e > cases they wish to pursue. I agree. After building out these use cases then see what is and isn't in v1 and create the new sections/update the old ones. Regards, - Robert Auger http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ > > For the record, my impression of WAFECv1 is that it's great for the guys > like me, who are interested in how WAFs operate, but not as useful for > end-users, who just want to take care of a problem they have. > > In addition, I have some questions: > > - What is content switching > - What DoS aspects of HTML5? > > On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] < > Thorsten.Wujek@stein-edv.de> wrote: > > > Hi, > > > > > > > > Thanks to everybody for showing so much interest in evolving WAFEC v2. > > > > > > > > Today I would like to present the first, initial step of our project. Aft= > er > > that I or my brother will be able to provide a detailed schedule and goal > > definition as well as how the communication will be organized. > > > > > > > > 1.) I would like to name those, who have confirmed their participation > > explicitly on the WASC / WAFEC Website. If you do not want that, please l= > et > > me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D. > > > > 2.) As stated in the first mail, there should be a review of WAFEC v1 > > and it would be great, if you could start with your or your customers > > experiences regarding the use of WAFEC v1. > > Let me be the one starting the discussion in short words: > > > > i.) There are a lot off criteria regarding content switching, > > which is irritating if you speak about WAF > > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC > > criteria regarding that issue > > iii.) WAFEC should give customers or consultants the ability to > > judge positive or negative techniques as well as training, at the moment = > it > > is just showing capabilities > > > > iv.) The actual version is not helpful if you want to evaluate > > management or administrative capabilities > > > > > > > > These are my 5 cent > > > > 3.) Last but not least there should be an overall confirmation if the > > suggested topics should be discussed in this project completely and how > > these points should be prioritized. > > > > > > > > Awaiting your comments. > > > > > > > > Thorsten > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen > > STEIN-IT GmbH > > Thorsten Wujek > > technischer Gesch=C3=A4ftsf=C3=BChrer > > technical CEO > > > > *MCT,MCA,MASE,CITA-P*** > > > > > > > > > > Neckarstra=C3=9Fe 4. 45768 Marl > > Fon +49 23 65 . 92 44 - 31 > > Fax +49 23 65 . 92 44 - 44 > > > > www.stein-edv.de > > www.sony-repair.de > > Thorsten.Wujek@stein-edv.de <thorsten.wujek@stein-edv.de> > > > > > > > > > > Ust.-Idnr.: DE 814703466 > > Steuer-Nr.: 359 5786 0059 > > > > Amtsgericht Gelsenkirchen, HRB 8639 > > Sitz und Gerichtsstand Marl > > > > Gesch=C3=A4ftsf=C3=BChrer: > > Joachim Matzek, Thorsten Wujek > > > > > > > > > > > > > > > > _______________________________________________ > > wasc-wafec mailing list > > wasc-wafec@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or= > g > > > > > > > --=20 > Ivan Risti=C4=87 > > --0016e64651485dda0d049be05ecf > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > I am not so sure we should start by reviewing WAFECv1. We should let it res= > t for a little while longer. It&#39;s much better to discuss the common WAF= > use cases, and from that deduce how to formulate a criteria that would hel= > p users determine if the products they are evaluating are suitable for the = > use cases they wish to pursue.<br> > <br>For the record, my impression of WAFECv1 is that it&#39;s great for the= > guys like me, who are interested in how WAFs operate, but not as useful fo= > r end-users, who just want to take care of a problem they have.<br><br> > In addition, I have some questions:<br><br>- What is content switching<br>-= > What DoS aspects of HTML5?<br><br><div class=3D"gmail_quote">On Wed, Feb 9= > , 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <span dir=3D"ltr">&lt;<a = > href=3D"mailto:Thorsten.Wujek@stein-edv.de">Thorsten.Wujek@stein-edv.de</a>= > &gt;</span> wrote:<br> > <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= > r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div link=3D"blue= > " vlink=3D"purple" lang=3D"DE"><div><p class=3D"MsoNormal">Hi,</p><p class= > =3D"MsoNormal"> > =C2=A0</p><p class=3D"MsoNormal"><span style=3D"font-size: 10.5pt;" lang=3D= > "EN-US">Thanks to everybody for showing so much interest in evolving WAFEC = > v2.</span><span lang=3D"EN-US"></span></p><p class=3D"MsoNormal"><span lang= > =3D"EN-US">=C2=A0</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">Today I would like to present t= > he first, initial step of our project. After that I or my brother will be a= > ble to provide a detailed schedule and goal definition as well as how the c= > ommunication will be organized.</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p><span lang= > =3D"EN-US"><span>1.)<span style=3D"font: 7pt &quot;Times New Roman&quot;;">= > =C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">I would like t= > o name those, who have confirmed their participation explicitly on the WASC= > / WAFEC Website. If you do not want that, please let me know, otherwise I = > take silence as an =E2=80=9COK=E2=80=9D.</span></p> > <p><span lang=3D"EN-US"><span>2.)<span style=3D"font: 7pt &quot;Times New R= > oman&quot;;">=C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">A= > s stated in the first mail, there should be a review of WAFEC v1 and it wou= > ld be great, if you could start with your or your customers experiences reg= > arding the use of WAFEC v1.<br> > Let me be the one starting the discussion in short words:<br><br>i.)=C2=A0= > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There are a lot off = > criteria regarding content switching, which is irritating if you speak abou= > t WAF<br>ii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 With th= > e new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that= > issue<br> > iii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WAFEC should give cus= > tomers or consultants the ability to judge positive or negative techniques = > as well as training, at the moment it is just showing capabilities</span></= > p><p><span lang=3D"EN-US">iv.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= > =A0 The actual version is not helpful if you want to evaluate management or= > administrative capabilities</span></p> > <p><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=3D"EN-US">These are = > my 5 cent <br><br></span></p><p><span lang=3D"EN-US"><span>3.)<span style= > =3D"font: 7pt &quot;Times New Roman&quot;;">=C2=A0=C2=A0=C2=A0 </span></spa= > n></span><span lang=3D"EN-US">Last but not least there should be an overall= > confirmation if the suggested topics should be discussed in this project c= > ompletely and how these points should be prioritized.</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"Ms= > oNormal"><span lang=3D"EN-US">Awaiting your comments.</span></p><p class=3D= > "MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"MsoNormal"><s= > pan lang=3D"EN-US">Thorsten</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><table style= > =3D"width: 412.5pt; border-collapse: collapse;" width=3D"550" border=3D"0" = > cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td style=3D"width: 187.5pt;= > padding: 0cm;" valign=3D"top" width=3D"250"> > <p class=3D"MsoNormal"><span><br></span><span style=3D"font-size: 8pt;">Mit= > freundlichen Gr=C3=BC=C3=9Fen<br>STEIN-IT GmbH<br><span style=3D"color: rg= > b(204, 0, 0);">Thorsten Wujek</span><br>technischer Gesch=C3=A4ftsf=C3=BChr= > er<br>technical CEO</span><span style=3D"font-size: 8pt;"></span></p> > </td><td style=3D"width: 240pt; padding: 0cm;" valign=3D"top" width=3D"320"= > ></td></tr><tr><td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><b><span = > lang=3D"EN-US">MCT,MCA,MASE,CITA-P</span></b><b><span lang=3D"EN-US"></span= > ></b></p></td> > <td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><span lang=3D"EN-US">=C2= > =A0</span></p></td></tr><tr><td style=3D"padding: 0cm;" valign=3D"top"><p c= > lass=3D"MsoNormal"><span lang=3D"EN-US"><br></span><span style=3D"font-size= > : 8pt;">Neckarstra=C3=9Fe=C2=A04.=C2=A045768=C2=A0Marl<br> > Fon=C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A031<br>Fax= > =C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A044</span><span= > ></span></p></td><td style=3D"padding: 0cm;" valign=3D"bottom"><p class=3D"= > MsoNormal"><span><a href=3D"http://www.stein-edv.de/" target=3D"_blank"><sp= > an style=3D"font-size: 8pt; color: black; text-decoration: none;">www.stein= > -edv.de</span></a><br> > <a href=3D"http://www.sony-repair.de/" target=3D"_blank"><span style=3D"fon= > t-size: 8pt; color: black; text-decoration: none;">www.sony-repair.de</span= > ></a><br><a href=3D"mailto:thorsten.wujek@stein-edv.de" target=3D"_blank"><= > span style=3D"font-size: 8pt; color: rgb(204, 0, 0); text-decoration: none;= > ">Thorsten.Wujek@stein-edv.de</span></a></span><span></span></p> > </td></tr><tr><td colspan=3D"2" style=3D"padding: 0cm;"><p class=3D"MsoNorm= > al"><span><br>=C2=A0</span><span></span></p><table style=3D"width: 100%;" w= > idth=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><= > td style=3D"padding: 0cm;" valign=3D"top"> > <p class=3D"MsoNormal"><span style=3D"font-size: 7pt;">Ust.-Idnr.: =C2=A0DE= > 814703466<br>Steuer-Nr.: 359 5786 0059</span><span></span></p></td><td sty= > le=3D"padding: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"f= > ont-size: 7pt;">Amtsgericht Gelsenkirchen, HRB 8639<br> > Sitz und Gerichtsstand Marl</span><span></span></p></td><td style=3D"paddin= > g: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"font-size: 7p= > t;">Gesch=C3=A4ftsf=C3=BChrer:<br>Joachim Matzek, Thorsten Wujek</span><spa= > n></span></p></td> > </tr></tbody></table></td></tr></tbody></table><p class=3D"MsoNormal"><span= > >=C2=A0</span></p><p class=3D"MsoNormal"><span>=C2=A0</span></p><p class=3D= > "MsoNormal">=C2=A0</p></div></div><br>_____________________________________= > __________<br> > wasc-wafec mailing list<br> > <a href=3D"mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappse= > c.org</a><br> > <a href=3D"http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.web= > appsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/listinfo/w= > asc-wafec_lists.webappsec.org</a><br> > <br></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Risti=C4=87<br= > ><br> > > --0016e64651485dda0d049be05ecf-- > > > --===============8326212383344298205== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > --===============8326212383344298205==-- >

Hello there, Maybe we can start to determine on which criteria we have to focus. If we considerate that the WAFEC is a tool to evaluate WAFs and if one assumes that a WAF is a security device, it seems that we have to focus on the security level that can by provided by the WAF. So, security should be the first criteria. Of course, a WAF is able to provide more added values such as : - Acceleration - Authentication - Authorization - SSO - Visibility (debugging/reporting/monitoring) - Architecture design improvement After that, some other criteria such as: - deployment mode - easiness to administrate - scalability and high availability The second thing is to determine the method to evaluate criterias. For example, regarding the security part, WASC-ID could be used. For each ID, to provide a method to test the WAF capacity to block or mitigate attacks related to the threat. Regards -----Message d'origine----- De : wasc-wafec-bounces@lists.webappsec.org [mailto:wasc-wafec-bounces@lists.webappsec.org] De la part de robert@webappsec.org Envoyé : mercredi 9 février 2011 23:59 À : Ivan Ristic Cc : wasc-wafec@lists.webappsec.org Objet : Re: [WASC-WAFEC] WAFEC v2 Step 1 > I am not so sure we should start by reviewing WAFECv1. We should let it res= > t > for a little while longer. It's much better to discuss the common WAF use > cases, and from that deduce how to formulate a criteria that would help > users determine if the products they are evaluating are suitable for the us= > e > cases they wish to pursue. I agree. After building out these use cases then see what is and isn't in v1 and create the new sections/update the old ones. Regards, - Robert Auger http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ > > For the record, my impression of WAFECv1 is that it's great for the guys > like me, who are interested in how WAFs operate, but not as useful for > end-users, who just want to take care of a problem they have. > > In addition, I have some questions: > > - What is content switching > - What DoS aspects of HTML5? > > On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] < > Thorsten.Wujek@stein-edv.de> wrote: > > > Hi, > > > > > > > > Thanks to everybody for showing so much interest in evolving WAFEC v2. > > > > > > > > Today I would like to present the first, initial step of our project. Aft= > er > > that I or my brother will be able to provide a detailed schedule and goal > > definition as well as how the communication will be organized. > > > > > > > > 1.) I would like to name those, who have confirmed their participation > > explicitly on the WASC / WAFEC Website. If you do not want that, please l= > et > > me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D. > > > > 2.) As stated in the first mail, there should be a review of WAFEC v1 > > and it would be great, if you could start with your or your customers > > experiences regarding the use of WAFEC v1. > > Let me be the one starting the discussion in short words: > > > > i.) There are a lot off criteria regarding content switching, > > which is irritating if you speak about WAF > > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC > > criteria regarding that issue > > iii.) WAFEC should give customers or consultants the ability to > > judge positive or negative techniques as well as training, at the moment = > it > > is just showing capabilities > > > > iv.) The actual version is not helpful if you want to evaluate > > management or administrative capabilities > > > > > > > > These are my 5 cent > > > > 3.) Last but not least there should be an overall confirmation if the > > suggested topics should be discussed in this project completely and how > > these points should be prioritized. > > > > > > > > Awaiting your comments. > > > > > > > > Thorsten > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen > > STEIN-IT GmbH > > Thorsten Wujek > > technischer Gesch=C3=A4ftsf=C3=BChrer > > technical CEO > > > > *MCT,MCA,MASE,CITA-P*** > > > > > > > > > > Neckarstra=C3=9Fe 4. 45768 Marl > > Fon +49 23 65 . 92 44 - 31 > > Fax +49 23 65 . 92 44 - 44 > > > > www.stein-edv.de > > www.sony-repair.de > > Thorsten.Wujek@stein-edv.de <thorsten.wujek@stein-edv.de> > > > > > > > > > > Ust.-Idnr.: DE 814703466 > > Steuer-Nr.: 359 5786 0059 > > > > Amtsgericht Gelsenkirchen, HRB 8639 > > Sitz und Gerichtsstand Marl > > > > Gesch=C3=A4ftsf=C3=BChrer: > > Joachim Matzek, Thorsten Wujek > > > > > > > > > > > > > > > > _______________________________________________ > > wasc-wafec mailing list > > wasc-wafec@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or= > g > > > > > > > --=20 > Ivan Risti=C4=87 > > --0016e64651485dda0d049be05ecf > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > I am not so sure we should start by reviewing WAFECv1. We should let it res= > t for a little while longer. It&#39;s much better to discuss the common WAF= > use cases, and from that deduce how to formulate a criteria that would hel= > p users determine if the products they are evaluating are suitable for the = > use cases they wish to pursue.<br> > <br>For the record, my impression of WAFECv1 is that it&#39;s great for the= > guys like me, who are interested in how WAFs operate, but not as useful fo= > r end-users, who just want to take care of a problem they have.<br><br> > In addition, I have some questions:<br><br>- What is content switching<br>-= > What DoS aspects of HTML5?<br><br><div class=3D"gmail_quote">On Wed, Feb 9= > , 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <span dir=3D"ltr">&lt;<a = > href=3D"mailto:Thorsten.Wujek@stein-edv.de">Thorsten.Wujek@stein-edv.de</a>= > &gt;</span> wrote:<br> > <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= > r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div link=3D"blue= > " vlink=3D"purple" lang=3D"DE"><div><p class=3D"MsoNormal">Hi,</p><p class= > =3D"MsoNormal"> > =C2=A0</p><p class=3D"MsoNormal"><span style=3D"font-size: 10.5pt;" lang=3D= > "EN-US">Thanks to everybody for showing so much interest in evolving WAFEC = > v2.</span><span lang=3D"EN-US"></span></p><p class=3D"MsoNormal"><span lang= > =3D"EN-US">=C2=A0</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">Today I would like to present t= > he first, initial step of our project. After that I or my brother will be a= > ble to provide a detailed schedule and goal definition as well as how the c= > ommunication will be organized.</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p><span lang= > =3D"EN-US"><span>1.)<span style=3D"font: 7pt &quot;Times New Roman&quot;;">= > =C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">I would like t= > o name those, who have confirmed their participation explicitly on the WASC= > / WAFEC Website. If you do not want that, please let me know, otherwise I = > take silence as an =E2=80=9COK=E2=80=9D.</span></p> > <p><span lang=3D"EN-US"><span>2.)<span style=3D"font: 7pt &quot;Times New R= > oman&quot;;">=C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">A= > s stated in the first mail, there should be a review of WAFEC v1 and it wou= > ld be great, if you could start with your or your customers experiences reg= > arding the use of WAFEC v1.<br> > Let me be the one starting the discussion in short words:<br><br>i.)=C2=A0= > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There are a lot off = > criteria regarding content switching, which is irritating if you speak abou= > t WAF<br>ii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 With th= > e new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that= > issue<br> > iii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WAFEC should give cus= > tomers or consultants the ability to judge positive or negative techniques = > as well as training, at the moment it is just showing capabilities</span></= > p><p><span lang=3D"EN-US">iv.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= > =A0 The actual version is not helpful if you want to evaluate management or= > administrative capabilities</span></p> > <p><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=3D"EN-US">These are = > my 5 cent <br><br></span></p><p><span lang=3D"EN-US"><span>3.)<span style= > =3D"font: 7pt &quot;Times New Roman&quot;;">=C2=A0=C2=A0=C2=A0 </span></spa= > n></span><span lang=3D"EN-US">Last but not least there should be an overall= > confirmation if the suggested topics should be discussed in this project c= > ompletely and how these points should be prioritized.</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"Ms= > oNormal"><span lang=3D"EN-US">Awaiting your comments.</span></p><p class=3D= > "MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"MsoNormal"><s= > pan lang=3D"EN-US">Thorsten</span></p> > <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><table style= > =3D"width: 412.5pt; border-collapse: collapse;" width=3D"550" border=3D"0" = > cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td style=3D"width: 187.5pt;= > padding: 0cm;" valign=3D"top" width=3D"250"> > <p class=3D"MsoNormal"><span><br></span><span style=3D"font-size: 8pt;">Mit= > freundlichen Gr=C3=BC=C3=9Fen<br>STEIN-IT GmbH<br><span style=3D"color: rg= > b(204, 0, 0);">Thorsten Wujek</span><br>technischer Gesch=C3=A4ftsf=C3=BChr= > er<br>technical CEO</span><span style=3D"font-size: 8pt;"></span></p> > </td><td style=3D"width: 240pt; padding: 0cm;" valign=3D"top" width=3D"320"= > ></td></tr><tr><td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><b><span = > lang=3D"EN-US">MCT,MCA,MASE,CITA-P</span></b><b><span lang=3D"EN-US"></span= > ></b></p></td> > <td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><span lang=3D"EN-US">=C2= > =A0</span></p></td></tr><tr><td style=3D"padding: 0cm;" valign=3D"top"><p c= > lass=3D"MsoNormal"><span lang=3D"EN-US"><br></span><span style=3D"font-size= > : 8pt;">Neckarstra=C3=9Fe=C2=A04.=C2=A045768=C2=A0Marl<br> > Fon=C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A031<br>Fax= > =C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A044</span><span= > ></span></p></td><td style=3D"padding: 0cm;" valign=3D"bottom"><p class=3D"= > MsoNormal"><span><a href=3D"http://www.stein-edv.de/" target=3D"_blank"><sp= > an style=3D"font-size: 8pt; color: black; text-decoration: none;">www.stein= > -edv.de</span></a><br> > <a href=3D"http://www.sony-repair.de/" target=3D"_blank"><span style=3D"fon= > t-size: 8pt; color: black; text-decoration: none;">www.sony-repair.de</span= > ></a><br><a href=3D"mailto:thorsten.wujek@stein-edv.de" target=3D"_blank"><= > span style=3D"font-size: 8pt; color: rgb(204, 0, 0); text-decoration: none;= > ">Thorsten.Wujek@stein-edv.de</span></a></span><span></span></p> > </td></tr><tr><td colspan=3D"2" style=3D"padding: 0cm;"><p class=3D"MsoNorm= > al"><span><br>=C2=A0</span><span></span></p><table style=3D"width: 100%;" w= > idth=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><= > td style=3D"padding: 0cm;" valign=3D"top"> > <p class=3D"MsoNormal"><span style=3D"font-size: 7pt;">Ust.-Idnr.: =C2=A0DE= > 814703466<br>Steuer-Nr.: 359 5786 0059</span><span></span></p></td><td sty= > le=3D"padding: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"f= > ont-size: 7pt;">Amtsgericht Gelsenkirchen, HRB 8639<br> > Sitz und Gerichtsstand Marl</span><span></span></p></td><td style=3D"paddin= > g: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"font-size: 7p= > t;">Gesch=C3=A4ftsf=C3=BChrer:<br>Joachim Matzek, Thorsten Wujek</span><spa= > n></span></p></td> > </tr></tbody></table></td></tr></tbody></table><p class=3D"MsoNormal"><span= > >=C2=A0</span></p><p class=3D"MsoNormal"><span>=C2=A0</span></p><p class=3D= > "MsoNormal">=C2=A0</p></div></div><br>_____________________________________= > __________<br> > wasc-wafec mailing list<br> > <a href=3D"mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappse= > c.org</a><br> > <a href=3D"http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.web= > appsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/listinfo/w= > asc-wafec_lists.webappsec.org</a><br> > <br></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Risti=C4=87<br= > ><br> > > --0016e64651485dda0d049be05ecf-- > > > --===============8326212383344298205== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org > > --===============8326212383344298205==-- > _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

Le 9 févr. 2011 à 23:58, robert@webappsec.org a écrit : >> I am not so sure we should start by reviewing WAFECv1. We should let it res= >> t >> for a little while longer. It's much better to discuss the common WAF use >> cases, and from that deduce how to formulate a criteria that would help >> users determine if the products they are evaluating are suitable for the us= >> e >> cases they wish to pursue. > > > I agree. After building out these use cases then see what is and isn't in v1 and create > the new sections/update the old ones. > +1 imho, WAFEC v1 is good but for old style use cases, this document has been done few years ago, when WAF were used to secure 1-5 web applications. Today, there is bigger infrastructures, new constraints, new needs, like virtualization, cloud, mass deployment etc... We need to cover these new needs. Matthieu > Regards, > - Robert Auger > http://www.webappsec.org/ > http://www.cgisecurity.com/ > http://www.qasec.com/ > >> >> For the record, my impression of WAFECv1 is that it's great for the guys >> like me, who are interested in how WAFs operate, but not as useful for >> end-users, who just want to take care of a problem they have. >> >> In addition, I have some questions: >> >> - What is content switching >> - What DoS aspects of HTML5? >> >> On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] < >> Thorsten.Wujek@stein-edv.de> wrote: >> >>> Hi, >>> >>> >>> >>> Thanks to everybody for showing so much interest in evolving WAFEC v2. >>> >>> >>> >>> Today I would like to present the first, initial step of our project. Aft= >> er >>> that I or my brother will be able to provide a detailed schedule and goal >>> definition as well as how the communication will be organized. >>> >>> >>> >>> 1.) I would like to name those, who have confirmed their participation >>> explicitly on the WASC / WAFEC Website. If you do not want that, please l= >> et >>> me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D. >>> >>> 2.) As stated in the first mail, there should be a review of WAFEC v1 >>> and it would be great, if you could start with your or your customers >>> experiences regarding the use of WAFEC v1. >>> Let me be the one starting the discussion in short words: >>> >>> i.) There are a lot off criteria regarding content switching, >>> which is irritating if you speak about WAF >>> ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC >>> criteria regarding that issue >>> iii.) WAFEC should give customers or consultants the ability to >>> judge positive or negative techniques as well as training, at the moment = >> it >>> is just showing capabilities >>> >>> iv.) The actual version is not helpful if you want to evaluate >>> management or administrative capabilities >>> >>> >>> >>> These are my 5 cent >>> >>> 3.) Last but not least there should be an overall confirmation if the >>> suggested topics should be discussed in this project completely and how >>> these points should be prioritized. >>> >>> >>> >>> Awaiting your comments. >>> >>> >>> >>> Thorsten >>> >>> >>> >>> >>> Mit freundlichen Gr=C3=BC=C3=9Fen >>> STEIN-IT GmbH >>> Thorsten Wujek >>> technischer Gesch=C3=A4ftsf=C3=BChrer >>> technical CEO >>> >>> *MCT,MCA,MASE,CITA-P*** >>> >>> >>> >>> >>> Neckarstra=C3=9Fe 4. 45768 Marl >>> Fon +49 23 65 . 92 44 - 31 >>> Fax +49 23 65 . 92 44 - 44 >>> >>> www.stein-edv.de >>> www.sony-repair.de >>> Thorsten.Wujek@stein-edv.de <thorsten.wujek@stein-edv.de> >>> >>> >>> >>> >>> Ust.-Idnr.: DE 814703466 >>> Steuer-Nr.: 359 5786 0059 >>> >>> Amtsgericht Gelsenkirchen, HRB 8639 >>> Sitz und Gerichtsstand Marl >>> >>> Gesch=C3=A4ftsf=C3=BChrer: >>> Joachim Matzek, Thorsten Wujek >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> wasc-wafec mailing list >>> wasc-wafec@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or= >> g >>> >>> >> >> >> --=20 >> Ivan Risti=C4=87 >> >> --0016e64651485dda0d049be05ecf >> Content-Type: text/html; charset=UTF-8 >> Content-Transfer-Encoding: quoted-printable >> >> I am not so sure we should start by reviewing WAFECv1. We should let it res= >> t for a little while longer. It&#39;s much better to discuss the common WAF= >> use cases, and from that deduce how to formulate a criteria that would hel= >> p users determine if the products they are evaluating are suitable for the = >> use cases they wish to pursue.<br> >> <br>For the record, my impression of WAFECv1 is that it&#39;s great for the= >> guys like me, who are interested in how WAFs operate, but not as useful fo= >> r end-users, who just want to take care of a problem they have.<br><br> >> In addition, I have some questions:<br><br>- What is content switching<br>-= >> What DoS aspects of HTML5?<br><br><div class=3D"gmail_quote">On Wed, Feb 9= >> , 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <span dir=3D"ltr">&lt;<a = >> href=3D"mailto:Thorsten.Wujek@stein-edv.de">Thorsten.Wujek@stein-edv.de</a>= >> &gt;</span> wrote:<br> >> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= >> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div link=3D"blue= >> " vlink=3D"purple" lang=3D"DE"><div><p class=3D"MsoNormal">Hi,</p><p class= >> =3D"MsoNormal"> >> =C2=A0</p><p class=3D"MsoNormal"><span style=3D"font-size: 10.5pt;" lang=3D= >> "EN-US">Thanks to everybody for showing so much interest in evolving WAFEC = >> v2.</span><span lang=3D"EN-US"></span></p><p class=3D"MsoNormal"><span lang= >> =3D"EN-US">=C2=A0</span></p> >> <p class=3D"MsoNormal"><span lang=3D"EN-US">Today I would like to present t= >> he first, initial step of our project. After that I or my brother will be a= >> ble to provide a detailed schedule and goal definition as well as how the c= >> ommunication will be organized.</span></p> >> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p><span lang= >> =3D"EN-US"><span>1.)<span style=3D"font: 7pt &quot;Times New Roman&quot;;">= >> =C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">I would like t= >> o name those, who have confirmed their participation explicitly on the WASC= >> / WAFEC Website. If you do not want that, please let me know, otherwise I = >> take silence as an =E2=80=9COK=E2=80=9D.</span></p> >> <p><span lang=3D"EN-US"><span>2.)<span style=3D"font: 7pt &quot;Times New R= >> oman&quot;;">=C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">A= >> s stated in the first mail, there should be a review of WAFEC v1 and it wou= >> ld be great, if you could start with your or your customers experiences reg= >> arding the use of WAFEC v1.<br> >> Let me be the one starting the discussion in short words:<br><br>i.)=C2=A0= >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There are a lot off = >> criteria regarding content switching, which is irritating if you speak abou= >> t WAF<br>ii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 With th= >> e new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that= >> issue<br> >> iii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WAFEC should give cus= >> tomers or consultants the ability to judge positive or negative techniques = >> as well as training, at the moment it is just showing capabilities</span></= >> p><p><span lang=3D"EN-US">iv.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= >> =A0 The actual version is not helpful if you want to evaluate management or= >> administrative capabilities</span></p> >> <p><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=3D"EN-US">These are = >> my 5 cent <br><br></span></p><p><span lang=3D"EN-US"><span>3.)<span style= >> =3D"font: 7pt &quot;Times New Roman&quot;;">=C2=A0=C2=A0=C2=A0 </span></spa= >> n></span><span lang=3D"EN-US">Last but not least there should be an overall= >> confirmation if the suggested topics should be discussed in this project c= >> ompletely and how these points should be prioritized.</span></p> >> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"Ms= >> oNormal"><span lang=3D"EN-US">Awaiting your comments.</span></p><p class=3D= >> "MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"MsoNormal"><s= >> pan lang=3D"EN-US">Thorsten</span></p> >> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><table style= >> =3D"width: 412.5pt; border-collapse: collapse;" width=3D"550" border=3D"0" = >> cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td style=3D"width: 187.5pt;= >> padding: 0cm;" valign=3D"top" width=3D"250"> >> <p class=3D"MsoNormal"><span><br></span><span style=3D"font-size: 8pt;">Mit= >> freundlichen Gr=C3=BC=C3=9Fen<br>STEIN-IT GmbH<br><span style=3D"color: rg= >> b(204, 0, 0);">Thorsten Wujek</span><br>technischer Gesch=C3=A4ftsf=C3=BChr= >> er<br>technical CEO</span><span style=3D"font-size: 8pt;"></span></p> >> </td><td style=3D"width: 240pt; padding: 0cm;" valign=3D"top" width=3D"320"= >>> </td></tr><tr><td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><b><span = >> lang=3D"EN-US">MCT,MCA,MASE,CITA-P</span></b><b><span lang=3D"EN-US"></span= >>> </b></p></td> >> <td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><span lang=3D"EN-US">=C2= >> =A0</span></p></td></tr><tr><td style=3D"padding: 0cm;" valign=3D"top"><p c= >> lass=3D"MsoNormal"><span lang=3D"EN-US"><br></span><span style=3D"font-size= >> : 8pt;">Neckarstra=C3=9Fe=C2=A04.=C2=A045768=C2=A0Marl<br> >> Fon=C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A031<br>Fax= >> =C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A044</span><span= >>> </span></p></td><td style=3D"padding: 0cm;" valign=3D"bottom"><p class=3D"= >> MsoNormal"><span><a href=3D"http://www.stein-edv.de/" target=3D"_blank"><sp= >> an style=3D"font-size: 8pt; color: black; text-decoration: none;">www.stein= >> -edv.de</span></a><br> >> <a href=3D"http://www.sony-repair.de/" target=3D"_blank"><span style=3D"fon= >> t-size: 8pt; color: black; text-decoration: none;">www.sony-repair.de</span= >>> </a><br><a href=3D"mailto:thorsten.wujek@stein-edv.de" target=3D"_blank"><= >> span style=3D"font-size: 8pt; color: rgb(204, 0, 0); text-decoration: none;= >> ">Thorsten.Wujek@stein-edv.de</span></a></span><span></span></p> >> </td></tr><tr><td colspan=3D"2" style=3D"padding: 0cm;"><p class=3D"MsoNorm= >> al"><span><br>=C2=A0</span><span></span></p><table style=3D"width: 100%;" w= >> idth=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><= >> td style=3D"padding: 0cm;" valign=3D"top"> >> <p class=3D"MsoNormal"><span style=3D"font-size: 7pt;">Ust.-Idnr.: =C2=A0DE= >> 814703466<br>Steuer-Nr.: 359 5786 0059</span><span></span></p></td><td sty= >> le=3D"padding: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"f= >> ont-size: 7pt;">Amtsgericht Gelsenkirchen, HRB 8639<br> >> Sitz und Gerichtsstand Marl</span><span></span></p></td><td style=3D"paddin= >> g: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"font-size: 7p= >> t;">Gesch=C3=A4ftsf=C3=BChrer:<br>Joachim Matzek, Thorsten Wujek</span><spa= >> n></span></p></td> >> </tr></tbody></table></td></tr></tbody></table><p class=3D"MsoNormal"><span= >>> =C2=A0</span></p><p class=3D"MsoNormal"><span>=C2=A0</span></p><p class=3D= >> "MsoNormal">=C2=A0</p></div></div><br>_____________________________________= >> __________<br> >> wasc-wafec mailing list<br> >> <a href=3D"mailto:wasc-wafec@lists.webappsec.org">wasc-wafec@lists.webappse= >> c.org</a><br> >> <a href=3D"http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.web= >> appsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/listinfo/w= >> asc-wafec_lists.webappsec.org</a><br> >> <br></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Risti=C4=87<br= >>> <br> >> >> --0016e64651485dda0d049be05ecf-- >> >> >> --===============8326212383344298205== >> Content-Type: text/plain; charset="us-ascii" >> MIME-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> Content-Disposition: inline >> >> _______________________________________________ >> wasc-wafec mailing list >> wasc-wafec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >> >> --===============8326212383344298205==-- >> > > > _______________________________________________ > wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >

I will make these comments very brief (we can discuss them later in detail) - 1. WAFEC is primarily used as an RFP document for end users so we should focus on this from a data sharing perspective and come up with a different method (i.e ­ no more spreadsheets pleaseŠ) 2. We need to have a minimum capabilities requirements section so end users know whether or not they should also be considering Palo Alto or TippingPoint. What features are unique to WAF. 3. It would be great to have a decision tree type of interface where, depending on the end users main concern, they can get a customized view of data. For instance ­ when they choose the deployment mode (out of line vs. reverse proxy vs. bridge), then the remaining sections are applicable (reference the deployment method capabilities matrix that Ivan linked to). We could also expand this to cover use-case scenarios. Basically, we could remove many "N/A" responses by simply removing it entirely from the view. 4. We should think about the structure of the document to see if there is a better order of topics. As was already mentioned by Ivan ­ we should probably start with Use-Cases. Why is the user interested in WAF? PCI? Recently Hacked? These scenarios will dictate items such as deployment modes and blocking capabilities. -Ryan From: "Wujek Thorsten [STEIN-IT GmbH]" <Thorsten.Wujek@stein-edv.de> Date: Wed, 9 Feb 2011 22:28:18 +0100 To: "wasc-wafec@lists.webappsec.org" <wasc-wafec@lists.webappsec.org> Subject: [WASC-WAFEC] WAFEC v2 Step 1 > Hi, > > Thanks to everybody for showing so much interest in evolving WAFEC v2. > > Today I would like to present the first, initial step of our project. After > that I or my brother will be able to provide a detailed schedule and goal > definition as well as how the communication will be organized. > > 1.) I would like to name those, who have confirmed their participation > explicitly on the WASC / WAFEC Website. If you do not want that, please let me > know, otherwise I take silence as an ³OK². > > 2.) As stated in the first mail, there should be a review of WAFEC v1 and > it would be great, if you could start with your or your customers experiences > regarding the use of WAFEC v1. > Let me be the one starting the discussion in short words: > > i.) There are a lot off criteria regarding content switching, which > is irritating if you speak about WAF > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC > criteria regarding that issue > iii.) WAFEC should give customers or consultants the ability to judge > positive or negative techniques as well as training, at the moment it is just > showing capabilities > > iv.) The actual version is not helpful if you want to evaluate > management or administrative capabilities > > > > These are my 5 cent > > > 3.) Last but not least there should be an overall confirmation if the > suggested topics should be discussed in this project completely and how these > points should be prioritized. > > > Awaiting your comments. > > Thorsten > > > Mit freundlichen Grüßen > STEIN-IT GmbH > Thorsten Wujek > technischer Geschäftsführer > technical CEO > MCT,MCA,MASE,CITA-P > > Neckarstraße 4. 45768 Marl > Fon +49 23 65 . 92 44 - 31 > Fax +49 23 65 . 92 44 - 44www.stein-edv.de <http://www.stein-edv.de/> > www.sony-repair.de <http://www.sony-repair.de/> > Thorsten.Wujek@stein-edv.de <mailto:thorsten.wujek@stein-edv.de> > > > Ust.-Idnr.: DE 814703466 > Steuer-Nr.: 359 5786 0059Amtsgericht Gelsenkirchen, HRB 8639 > Sitz und Gerichtsstand MarlGeschäftsführer: > Joachim Matzek, Thorsten Wujek > > > > _______________________________________________ wasc-wafec mailing list > wasc-wafec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org >

Hi all, I'll chime in to this discussion by quoting Thorsten's original mail, but also some replies without explizitely quoting them. Hope you get it anyhow ... For details, see inline below. Achim Am 09.02.2011 22:28, schrieb Wujek Thorsten [STEIN-IT GmbH]: > 1.) I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK". Confirmed. According my experiance with other such projects I'd like to see a list of contributers and an additional one for reviewers (Robert may remember why I address this:). > 2.) As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1. > Let me be the one starting the discussion in short words: I'd vote like Ryan that we first focus on the capabilities and requirements *independent* from any vendor preferences or customer wishes. I'd like to have WAFEC more focus on the technical things, see iv.) below. > > i.) There are a lot off criteria regarding content switching, which is irritating if you speak about WAF Agreed, see iv.) below. > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue > iii.) WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities This is very important, as you want to address security first or functionality (of the website) first. Johanne already quoted for the security first focus. Other vendors and some customers will stress the single-point-of-failture aka functionality argument. I expect controversal discussions as this is a fundamental part (mainly for the sales people) of some WAFs. > iv.) The actual version is not helpful if you want to evaluate management or administrative capabilities I agree that WAFEC (v1) is not helpful there. That's why we've written http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls which ia about: evaluation, administratiuon, operation, ... (sorry for some kind of self-adulation:) As we're thinking about "WAF: Best Practices (v2) too, does it make sense to focus on the facts/capabilities here in WAFEC and let "usage" go to the best pratice document. I'm open for your minds. I'll be definitely part of both worlds. > These are my 5 cent > > > 3.) Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized. See iv.) > Awaiting your comments. > > Thorsten >

To all, thank you for your reply. I will have in mind to give you all an additional week for comments. I will try to put the essence of your mails together and send it out next weekend. So have a productive week. ~ Thorsten -----Ursprüngliche Nachricht----- Von: Achim Hoffmann [mailto:websec10@sic-sec.org] Gesendet: Sonntag, 13. Februar 2011 14:45 An: wasc-wafec@lists.webappsec.org Cc: Wujek Thorsten [STEIN-IT GmbH] Betreff: Re: [WASC-WAFEC] WAFEC v2 Step 1 Hi all, I'll chime in to this discussion by quoting Thorsten's original mail, but also some replies without explizitely quoting them. Hope you get it anyhow ... For details, see inline below. Achim Am 09.02.2011 22:28, schrieb Wujek Thorsten [STEIN-IT GmbH]: > 1.) I would like to name those, who have confirmed their participation explicitly on the WASC / WAFEC Website. If you do not want that, please let me know, otherwise I take silence as an "OK". Confirmed. According my experiance with other such projects I'd like to see a list of contributers and an additional one for reviewers (Robert may remember why I address this:). > 2.) As stated in the first mail, there should be a review of WAFEC v1 and it would be great, if you could start with your or your customers experiences regarding the use of WAFEC v1. > Let me be the one starting the discussion in short words: I'd vote like Ryan that we first focus on the capabilities and requirements *independent* from any vendor preferences or customer wishes. I'd like to have WAFEC more focus on the technical things, see iv.) below. > > i.) There are a lot off criteria regarding content switching, which is irritating if you speak about WAF Agreed, see iv.) below. > ii.) With the new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that issue > iii.) WAFEC should give customers or consultants the ability to judge positive or negative techniques as well as training, at the moment it is just showing capabilities This is very important, as you want to address security first or functionality (of the website) first. Johanne already quoted for the security first focus. Other vendors and some customers will stress the single-point-of-failture aka functionality argument. I expect controversal discussions as this is a fundamental part (mainly for the sales people) of some WAFs. > iv.) The actual version is not helpful if you want to evaluate management or administrative capabilities I agree that WAFEC (v1) is not helpful there. That's why we've written http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls which ia about: evaluation, administratiuon, operation, ... (sorry for some kind of self-adulation:) As we're thinking about "WAF: Best Practices (v2) too, does it make sense to focus on the facts/capabilities here in WAFEC and let "usage" go to the best pratice document. I'm open for your minds. I'll be definitely part of both worlds. > These are my 5 cent > > > 3.) Last but not least there should be an overall confirmation if the suggested topics should be discussed in this project completely and how these points should be prioritized. See iv.) > Awaiting your comments. > > Thorsten >

1. WAFEC is primarily used as an RFP document for end users so we
should focus on this from a data sharing perspective and come up with a
different method (i.e – no more spreadsheets please…)
2. We need to have a minimum capabilities requirements section so end
users know whether or not they should also be considering Palo Alto or
TippingPoint.  What features are unique to WAF.
3. It would be great to have a decision tree type of interface where,
depending on the end users main concern, they can get a customized view of
data.  For instance – when they choose the deployment mode (out of line vs.
reverse proxy vs. bridge), then the remaining sections are applicable
(reference the deployment method capabilities matrix that Ivan linked to).
 We could also expand this to cover use-case scenarios.  Basically, we could
remove many "N/A" responses by simply removing it entirely from the view.
4. We should think about the structure of the document to see if there
is a better order of topics.  As was already mentioned by Ivan – we should
probably start with Use-Cases.  Why is the user interested in WAF?  PCI?
 Recently Hacked?  These scenarios will dictate items such as deployment
modes and blocking capabilities.

Wujek, I would like to extend the thoughts from Ryan which I have quoted below: On Fri, Feb 11, 2011 at 4:54 AM, Ryan Barnett <rcbarnett@gmail.com> wrote: > I will make these comments very brief (we can discuss them later in detail) > - > > 1. WAFEC is primarily used as an RFP document for end users so we > should focus on this from a data sharing perspective and come up with a > different method (i.e – no more spreadsheets please…) > 2. We need to have a minimum capabilities requirements section so end > users know whether or not they should also be considering Palo Alto or > TippingPoint. What features are unique to WAF. > 3. It would be great to have a decision tree type of interface where, > depending on the end users main concern, they can get a customized view of > data. For instance – when they choose the deployment mode (out of line vs. > reverse proxy vs. bridge), then the remaining sections are applicable > (reference the deployment method capabilities matrix that Ivan linked to). > We could also expand this to cover use-case scenarios. Basically, we could > remove many "N/A" responses by simply removing it entirely from the view. > 4. We should think about the structure of the document to see if there > is a better order of topics. As was already mentioned by Ivan – we should > probably start with Use-Cases. Why is the user interested in WAF? PCI? > Recently Hacked? These scenarios will dictate items such as deployment > modes and blocking capabilities. > > 1. was the predominate use of how it was communicated to the Australian public i.e. http://www.computerworld.com.au/article/148671/web_application_firewalls_prime_integrators/ 2. - 3. Should a third party, such as http://www.nsslabs.com/, http://www.dsd.gov.au/infosec/aisep/providers.htm, etc, be endorsed to provide independence assurance of the claims made by various WAF vendors? 4. Specific to PCI 6.6 i.e. https://www.pcisecuritystandards.org/documents/infosupp_6_6_applicationfirewalls_codereviews.pdf- a. Would v2 be able to provide more indepth technical examples of "virtual patching" and ROI? b. Should it advocate as a long term strategy code review over WAF i.e. "virtual patching" should be considered short term? -- Regards, Christian Heinrich http://www.linkedin.com/in/ChristianHeinrich Mobile: +61 433 510 532 (AEST +10 GMT/UTC) SkypeID: cmlh.id.au

Few comments related to the below 2. - 3. Should a third party, such as http://www.nsslabs.com/, http://www.dsd.gov.au/infosec/aisep/providers.htm, etc, be endorsed to provide independence assurance of the claims made by various WAF vendors? The ICSA already has a WAF certification program. I think working with them to include some part of this in their process would be an easier (and maybe more cost effective) solution. b. Should it advocate as a long term strategy code review over WAF i.e. "virtual patching" should be considered short term? This is a tried and true topic for endless debate. In my experience, organizations for the most part fail at patching effectively and those that don't do the "short term" virtual patching get ineffective protection in the long term as their patching never happens or happens incorrectly. Regardless, I think the spec for a WAF evaluation should be one step removed from taking a side in this issue. If we could agree that virtual patching is a function to be expected of a WAF and that there are characteristics of how well a WAF does this that can be evaluated as a part of WAFEC, can we leave alone providing advice on what an organization's overall patching strategy should be? From: wasc-wafec-bounces@lists.webappsec.org [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Christian Heinrich Sent: Friday, February 18, 2011 5:35 PM To: Wujek Thorsten [STEIN-IT GmbH] Cc: wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] WAFEC v2 Step 1 Wujek, I would like to extend the thoughts from Ryan which I have quoted below: On Fri, Feb 11, 2011 at 4:54 AM, Ryan Barnett <rcbarnett@gmail.com<mailto:rcbarnett@gmail.com>> wrote: I will make these comments very brief (we can discuss them later in detail) - 1. WAFEC is primarily used as an RFP document for end users so we should focus on this from a data sharing perspective and come up with a different method (i.e - no more spreadsheets please...) 2. We need to have a minimum capabilities requirements section so end users know whether or not they should also be considering Palo Alto or TippingPoint. What features are unique to WAF. 3. It would be great to have a decision tree type of interface where, depending on the end users main concern, they can get a customized view of data. For instance - when they choose the deployment mode (out of line vs. reverse proxy vs. bridge), then the remaining sections are applicable (reference the deployment method capabilities matrix that Ivan linked to). We could also expand this to cover use-case scenarios. Basically, we could remove many "N/A" responses by simply removing it entirely from the view. 4. We should think about the structure of the document to see if there is a better order of topics. As was already mentioned by Ivan - we should probably start with Use-Cases. Why is the user interested in WAF? PCI? Recently Hacked? These scenarios will dictate items such as deployment modes and blocking capabilities. 1. was the predominate use of how it was communicated to the Australian public i.e. http://www.computerworld.com.au/article/148671/web_application_firewalls_prime_integrators/ 2. - 3. Should a third party, such as http://www.nsslabs.com/, http://www.dsd.gov.au/infosec/aisep/providers.htm, etc, be endorsed to provide independence assurance of the claims made by various WAF vendors? 4. Specific to PCI 6.6 i.e. https://www.pcisecuritystandards.org/documents/infosupp_6_6_applicationfirewalls_codereviews.pdf - a. Would v2 be able to provide more indepth technical examples of "virtual patching" and ROI? b. Should it advocate as a long term strategy code review over WAF i.e. "virtual patching" should be considered short term? -- Regards, Christian Heinrich http://www.linkedin.com/in/ChristianHeinrich Mobile: +61 433 510 532 (AEST +10 GMT/UTC) SkypeID: cmlh.id.au<http://cmlh.id.au>