Hi All, Few updates: *** 0. I still did not find a location for a WAFEC meeting alongside RSA. If someone can arrange for a meeting place for us, I would love to host a WAFEC workshop alongside RSA as I assume many of you will be there. *** 1. Two drafts published this week for your review: - A second draft of the "What is a WAF" section from Achim. - A first, still rough, draft of the security section from Ryan and Amichai. While still early I thought it's worth sharing. As usual you can find them here: http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline 2. We had a WAFEC panel as part of the OWASP Israel meeting (https://www.owasp.org/index.php/OWASP_Israel_2013_02). I am sure it was very educating for the 100 or so people joining physical or online, some takes I had which are of significance to WAFEC are: - The accuracy issue is a key element that bothers everyone. i.e. how to you really test if a WAF protects from what it claims to protect for. As a document WAFEC does not address that and people asked for a tool to help (Amichai mentioned Imperva will release one as open source shortly). - WAFEC users, security people, are often ignorant of what the organization actually use in applications (technologies protocols). WAFEC can never list all of the possible technologies used and may inadvertently cause security practitioners to miss on important requirements. WAFEC must explicitly call for the user to verify and extend the list of requirements, especially with regard protected applications and technologies, but working with the Ops and Dev guys. - A question raised for which I found the panel answers lacking was best practices for using WAFs in dev-ops (i.e. continuous deployment) environment. For those of you in the panel of the audience, feel free to share your takes from the meeting. ~ Ofer Ofer Shezaf [+972-54-4431119; ofer@shezaf.com, www.shezaf.com]