https://www.ironbee.com
https://www.ironbee.com/dl/ironbee-whitepaper.pdf

I would like to introduce to you IronBee, a new open source web application firewall: https://www.ironbee.com https://www.ironbee.com/dl/ironbee-whitepaper.pdf I am writing to this list because I expect there will be an overlap between WAFEC and the documentation effort at IronBee. In the next week or so we will start a new section on our wiki to enumerate all the relevant attacks against web applications and then document what web application firewalls can do to address them (with a view to implement those defences in IronBee). We should perhaps include a copy of the wiki content in WAFEC itself. After all, one of our goals would be helping end users to understand what WAFs can and cannot do. I should also mention that we use a business-friendly Apache 2 licence, and that we will happily work with vendors (old or new). -- Ivan Ristić

Ivan, On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic <ivan.ristic@gmail.com> wrote: > I am writing to this list because I expect there will be an overlap > between WAFEC and the documentation effort at IronBee. In the next > week or so we will start a new section on our wiki to enumerate all > the relevant attacks against web applications and then document what > web application firewalls can do to address them (with a view to > implement those defences in IronBee). > > We should perhaps include a copy of the wiki content in WAFEC itself. > After all, one of our goals would be helping end users to understand > what WAFs can and cannot do. Can I recommend that this be extended to ModSecurity (possibly completed by Ryan) so that a common benchmark can be established with the intent of this body of work possibly being reused by other WAF vendors? -- Regards, Christian Heinrich http://www.linkedin.com/in/ChristianHeinrich Mobile: +61 433 510 532 (AEST +10 GMT/UTC) SkypeID: cmlh.id.au

On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich <christian.heinrich@cmlh.id.au> wrote: > Ivan, > > On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic <ivan.ristic@gmail.com> wrote: >> I am writing to this list because I expect there will be an overlap >> between WAFEC and the documentation effort at IronBee. In the next >> week or so we will start a new section on our wiki to enumerate all >> the relevant attacks against web applications and then document what >> web application firewalls can do to address them (with a view to >> implement those defences in IronBee). >> >> We should perhaps include a copy of the wiki content in WAFEC itself. >> After all, one of our goals would be helping end users to understand >> what WAFs can and cannot do. > > Can I recommend that this be extended to ModSecurity (possibly > completed by Ryan) so that a common benchmark can be established with > the intent of this body of work possibly being reused by other WAF > vendors? That's absolutely fine. Our only requirement is that any stuff that gets put into IronBee is licensed under Apache Software License v2. Yesterday I actually started writing one of the pages to establish a template: https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF > -- > Regards, > Christian Heinrich > > http://www.linkedin.com/in/ChristianHeinrich > > Mobile: +61 433 510 532 (AEST +10 GMT/UTC) > SkypeID: cmlh.id.au > -- Ivan Ristić

On 2/23/11 4:23 AM, "Ivan Ristic" <ivan.ristic@gmail.com> wrote: >On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich ><christian.heinrich@cmlh.id.au> wrote: >> Ivan, >> >> On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic <ivan.ristic@gmail.com> >>wrote: >>> I am writing to this list because I expect there will be an overlap >>> between WAFEC and the documentation effort at IronBee. In the next >>> week or so we will start a new section on our wiki to enumerate all >>> the relevant attacks against web applications and then document what >>> web application firewalls can do to address them (with a view to >>> implement those defences in IronBee). >>> >>> We should perhaps include a copy of the wiki content in WAFEC itself. >>> After all, one of our goals would be helping end users to understand >>> what WAFs can and cannot do. >> >> Can I recommend that this be extended to ModSecurity (possibly >> completed by Ryan) so that a common benchmark can be established with >> the intent of this body of work possibly being reused by other WAF >> vendors? > >That's absolutely fine. Our only requirement is that any stuff that >gets put into IronBee is licensed under Apache Software License v2. > >Yesterday I actually started writing one of the pages to establish a >template: > >https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF May I suggest that we create this wiki content on the wasc projects site? Also - we may want to start from the top with WAFECv2 and re-define a definition for a web application firewall. The definition on the WASC Glossary page (http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary) could use some updating - "Web Application Firewall: An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack." This does not mention software only WAF and is also narrowly focused on attack prevention. As I mentioned in an earlier email, we need a definition that uniquely defines WAF. Just by reading this current definition, IPS appliances would fit... Here is my first draft of an updated definition - Web Application Firewall: A web traffic (HTTP(S)/XML) security policy enforcement and auditing layer (intermediary device, web server plugin or application layer filter) used to prevent both inbound attacks and outbound data leakages. -Ryan > >> -- >> Regards, >> Christian Heinrich >> >> http://www.linkedin.com/in/ChristianHeinrich >> >> Mobile: +61 433 510 532 (AEST +10 GMT/UTC) >> SkypeID: cmlh.id.au >> > > > >-- >Ivan Ristić > >_______________________________________________ >wasc-wafec mailing list >wasc-wafec@lists.webappsec.org >http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

Am 23.02.2011 14:05, schrieb Ryan Barnett: > On 2/23/11 4:23 AM, "Ivan Ristic" <ivan.ristic@gmail.com> wrote: >> Yesterday I actually started writing one of the pages to establish a >> template: >> >> https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF > > > May I suggest that we create this wiki content on the wasc projects site? I'd like to contribute to the wiki too, as I've already something about "WAF and CSRF protections" prepared for a OWASP summit session which didn't take place. > Also - we may want to start from the top with WAFECv2 and re-define a > definition for a web application firewall. The definition on the WASC > Glossary page > (http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary) > could use some updating - > > "Web Application Firewall: An intermediary device, sitting between a > web-client and a web server, analyzing OSI Layer-7 messages for violations > in the programmed security policy. A web application firewall is used as a > security device protecting the web server from attack." There're so much definitions out, (IronBee actually uses a new word *SCNR*) I guess this either becomes a lengthly discussion or a lengthly definition ... > This does not mention software only WAF and is also narrowly focused on > attack prevention. As I mentioned in an earlier email, we need a > definition that uniquely defines WAF. Just by reading this current > definition, IPS appliances would fit... I agree that we should look at things like CSRFGuard, ESAPI and such too. Does this make sence? Achim

2011/2/23 Ryan Barnett <rcbarnett@gmail.com>: > On 2/23/11 4:23 AM, "Ivan Ristic" <ivan.ristic@gmail.com> wrote: > >>On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich >><christian.heinrich@cmlh.id.au> wrote: >>> Ivan, >>> >>> On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic <ivan.ristic@gmail.com> >>>wrote: >>>> I am writing to this list because I expect there will be an overlap >>>> between WAFEC and the documentation effort at IronBee. In the next >>>> week or so we will start a new section on our wiki to enumerate all >>>> the relevant attacks against web applications and then document what >>>> web application firewalls can do to address them (with a view to >>>> implement those defences in IronBee). >>>> >>>> We should perhaps include a copy of the wiki content in WAFEC itself. >>>> After all, one of our goals would be helping end users to understand >>>> what WAFs can and cannot do. >>> >>> Can I recommend that this be extended to ModSecurity (possibly >>> completed by Ryan) so that a common benchmark can be established with >>> the intent of this body of work possibly being reused by other WAF >>> vendors? >> >>That's absolutely fine. Our only requirement is that any stuff that >>gets put into IronBee is licensed under Apache Software License v2. >> >>Yesterday I actually started writing one of the pages to establish a >>template: >> >>https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF > > May I suggest that we create this wiki content on the wasc projects site? Sure -- provided the (WAFEC) team considers such content to be within the scope of our work here. Did I mention that the Best Practice: WAFs document already contains a table that can be used as a starting point for this activity? -- Ivan Ristić