[Ofer] All added. I would probably rephrase the 3rd to make it

            [Ofer] I would rather not list ICSA as a commercial

(When I wrote updated or added, I mean when I will publish the next round of my section, hopefully shortly) ~ Ofer From: Kasey Cross [mailto:kasey@imperva.com] Sent: Wednesday, February 06, 2013 4:12 PM To: Ofer Shezaf Cc: Mark Kraynak; Sylvain Gil; Amichai Shulman; Tal Beery Subject: RE: [WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality Thank you! I have one minor change to my list of suggestions. Instead of: o Support for RBAC groups (with users inheriting rights of group) It might be better to include: o Support for pre-defined and custom roles that can be assigned to users; list default user roles [Ofer] this is actually something I had in the original :). I added your distinction between pre-defined and custom roles. From: Ofer Shezaf [mailto:oshezaf@gmail.com] On Behalf Of Ofer Shezaf Sent: Wednesday, February 06, 2013 2:10 AM To: Kasey Cross Cc: Mark Kraynak; Sylvain Gil; Amichai Shulman; Tal Beery Subject: RE: [WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality Thanks for your input. I will go through it when next I get to do an update cycle of my section hopefully (but not promised) in the next week or so. ~ Ofer From: Kasey Cross [mailto:kasey@imperva.com] <mailto:[mailto:kasey@imperva.com]> Sent: Wednesday, February 06, 2013 3:16 AM To: Ofer Shezaf (ofer@shezaf.com <mailto:ofer@shezaf.com> ) Cc: Mark Kraynak; Sylvain Gil; Amichai Shulman; Tal Beery Subject: RE: [WASC-WAFEC] WAFEC 2.0 Comments on Supporting Functionality Hi Ofer, I looked at the WAFEC v2 Draft. I wanted to suggest the following items for your sections of WAFEC. I am working from the Web-based WAFEC draft; let me know if I should refer to the Word version instead. Best regards, Kasey Management User Interface * Centralized Management o Centralized logging [Ofer] Added. o Centralized reporting [Ofer] Added o Synchronization of application profiles (white list security) across WAF gateways [Ofer] I did list "policy management", I think that application profiles is one aspect of that which is implementation specific. o Manager of manager for large scale deployments [Ofer] I understand there might importance in hierarchical , however can you come up with a motivation other than "large scale deployment"? I assume you don't need hierarchy due to the deployment size (i.e. number of gateways). * Configuration o Ability to define security policies at the global, server, application, or URL level [Ofer] This should be included in chapter 3 in the context to the security technique you need it for. o Ability to create signature exceptions by URL, session or authentication result [Ofer] Same * Role Based Access Control o Support for RBAC groups (with users inheriting rights of group) o Ability to assign write, read-only or restrict all privileges to policies, reports, and security events and to limit access to specific Web applications or server groups [Ofer] I have to think this over. While correct, it opens up a huge Pandora box that I hoped to avoid by asking just for numbers and names of roles/permissions. * Reporting o Reports can be scheduled and distributed or generated on demand o Maximum number of records a single report can contain (if any maximum exists) o Report customization by parameters such as day, type of attack, WAF gateway, username, event ID, source IP address, source geolocation, URL, and violation type o Optional graphical reports with chart and graph summaries of report data [Ofer] All added. I would probably rephrase the 3rd to make it more general. Self-Security * Explicitly list ICSA Labs WAF Certification, Common Criteria Certification [Ofer] I would rather not list ICSA as a commercial certification vendor. Common Criteria makes sense.