WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsI would like to introduce to you IronBee, a new open source web
application firewall:
https://www.ironbee.com
https://www.ironbee.com/dl/ironbee-whitepaper.pdf
I am writing to this list because I expect there will be an overlap
between WAFEC and the documentation effort at IronBee. In the next
week or so we will start a new section on our wiki to enumerate all
the relevant attacks against web applications and then document what
web application firewalls can do to address them (with a view to
implement those defences in IronBee).
We should perhaps include a copy of the wiki content in WAFEC itself.
After all, one of our goals would be helping end users to understand
what WAFs can and cannot do.
I should also mention that we use a business-friendly Apache 2
licence, and that we will happily work with vendors (old or new).
--
Ivan Ristić
Ivan,
On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic ivan.ristic@gmail.com wrote:
I am writing to this list because I expect there will be an overlap
between WAFEC and the documentation effort at IronBee. In the next
week or so we will start a new section on our wiki to enumerate all
the relevant attacks against web applications and then document what
web application firewalls can do to address them (with a view to
implement those defences in IronBee).
We should perhaps include a copy of the wiki content in WAFEC itself.
After all, one of our goals would be helping end users to understand
what WAFs can and cannot do.
Can I recommend that this be extended to ModSecurity (possibly
completed by Ryan) so that a common benchmark can be established with
the intent of this body of work possibly being reused by other WAF
vendors?
--
Regards,
Christian Heinrich
http://www.linkedin.com/in/ChristianHeinrich
Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au
On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ivan,
On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic ivan.ristic@gmail.com wrote:
I am writing to this list because I expect there will be an overlap
between WAFEC and the documentation effort at IronBee. In the next
week or so we will start a new section on our wiki to enumerate all
the relevant attacks against web applications and then document what
web application firewalls can do to address them (with a view to
implement those defences in IronBee).
We should perhaps include a copy of the wiki content in WAFEC itself.
After all, one of our goals would be helping end users to understand
what WAFs can and cannot do.
Can I recommend that this be extended to ModSecurity (possibly
completed by Ryan) so that a common benchmark can be established with
the intent of this body of work possibly being reused by other WAF
vendors?
That's absolutely fine. Our only requirement is that any stuff that
gets put into IronBee is licensed under Apache Software License v2.
Yesterday I actually started writing one of the pages to establish a template:
https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF
--
Regards,
Christian Heinrich
http://www.linkedin.com/in/ChristianHeinrich
Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au
--
Ivan Ristić
On 2/23/11 4:23 AM, "Ivan Ristic" ivan.ristic@gmail.com wrote:
On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ivan,
On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic ivan.ristic@gmail.com
wrote:
I am writing to this list because I expect there will be an overlap
between WAFEC and the documentation effort at IronBee. In the next
week or so we will start a new section on our wiki to enumerate all
the relevant attacks against web applications and then document what
web application firewalls can do to address them (with a view to
implement those defences in IronBee).
We should perhaps include a copy of the wiki content in WAFEC itself.
After all, one of our goals would be helping end users to understand
what WAFs can and cannot do.
Can I recommend that this be extended to ModSecurity (possibly
completed by Ryan) so that a common benchmark can be established with
the intent of this body of work possibly being reused by other WAF
vendors?
That's absolutely fine. Our only requirement is that any stuff that
gets put into IronBee is licensed under Apache Software License v2.
Yesterday I actually started writing one of the pages to establish a
template:
https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF
May I suggest that we create this wiki content on the wasc projects site?
Also - we may want to start from the top with WAFECv2 and re-define a
definition for a web application firewall. The definition on the WASC
Glossary page
(http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary)
could use some updating -
"Web Application Firewall: An intermediary device, sitting between a
web-client and a web server, analyzing OSI Layer-7 messages for violations
in the programmed security policy. A web application firewall is used as a
security device protecting the web server from attack."
This does not mention software only WAF and is also narrowly focused on
attack prevention. As I mentioned in an earlier email, we need a
definition that uniquely defines WAF. Just by reading this current
definition, IPS appliances would fit...
Here is my first draft of an updated definition -
Web Application Firewall: A web traffic (HTTP(S)/XML) security policy
enforcement and auditing layer (intermediary device, web server plugin or
application layer filter) used to prevent both inbound attacks and
outbound data leakages.
-Ryan
--
Regards,
Christian Heinrich
http://www.linkedin.com/in/ChristianHeinrich
Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au
--
Ivan Ristić
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Am 23.02.2011 14:05, schrieb Ryan Barnett:
On 2/23/11 4:23 AM, "Ivan Ristic" ivan.ristic@gmail.com wrote:
Yesterday I actually started writing one of the pages to establish a
template:
https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF
May I suggest that we create this wiki content on the wasc projects site?
I'd like to contribute to the wiki too, as I've already something about
"WAF and CSRF protections" prepared for a OWASP summit session which didn't
take place.
Also - we may want to start from the top with WAFECv2 and re-define a
definition for a web application firewall. The definition on the WASC
Glossary page
(http://projects.webappsec.org/w/page/13246967/The-Web-Security-Glossary)
could use some updating -
"Web Application Firewall: An intermediary device, sitting between a
web-client and a web server, analyzing OSI Layer-7 messages for violations
in the programmed security policy. A web application firewall is used as a
security device protecting the web server from attack."
There're so much definitions out, (IronBee actually uses a new word SCNR)
I guess this either becomes a lengthly discussion or a lengthly definition ...
This does not mention software only WAF and is also narrowly focused on
attack prevention. As I mentioned in an earlier email, we need a
definition that uniquely defines WAF. Just by reading this current
definition, IPS appliances would fit...
I agree that we should look at things like CSRFGuard, ESAPI and such too.
Does this make sence?
Achim
2011/2/23 Ryan Barnett rcbarnett@gmail.com:
On 2/23/11 4:23 AM, "Ivan Ristic" ivan.ristic@gmail.com wrote:
On Wed, Feb 23, 2011 at 5:50 AM, Christian Heinrich
christian.heinrich@cmlh.id.au wrote:
Ivan,
On Tue, Feb 22, 2011 at 10:39 PM, Ivan Ristic ivan.ristic@gmail.com
wrote:
I am writing to this list because I expect there will be an overlap
between WAFEC and the documentation effort at IronBee. In the next
week or so we will start a new section on our wiki to enumerate all
the relevant attacks against web applications and then document what
web application firewalls can do to address them (with a view to
implement those defences in IronBee).
We should perhaps include a copy of the wiki content in WAFEC itself.
After all, one of our goals would be helping end users to understand
what WAFs can and cannot do.
Can I recommend that this be extended to ModSecurity (possibly
completed by Ryan) so that a common benchmark can be established with
the intent of this body of work possibly being reused by other WAF
vendors?
That's absolutely fine. Our only requirement is that any stuff that
gets put into IronBee is licensed under Apache Software License v2.
Yesterday I actually started writing one of the pages to establish a
template:
https://github.com/ironbee/ironbee/wiki/Defending-against-CSRF
May I suggest that we create this wiki content on the wasc projects site?
Sure -- provided the (WAFEC) team considers such content to be within
the scope of our work here.
Did I mention that the Best Practice: WAFs document already contains a
table that can be used as a starting point for this activity?
--
Ivan Ristić