https://wiki.owasp.org/api.php?action=feedcontributions&user=Tony+Turner&feedformat=atomOWASP - User contributions [en]2024-03-28T09:36:26ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=243932WASC OWASP Web Application Firewall Evaluation Criteria Project2018-10-02T18:57:51Z<p>Tony Turner: /* Presentations */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
*October 2018 Project Refresh<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2017. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for post 3.0 release<br />
<br />
=Roadmap=<br />
<br />
===As of October 2018 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016-Fall 2018==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Winter 2018==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments <br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Spring 2019==<br />
<br />
*Pre-release/Beta<br />
<br />
==Summer 2019==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – Fortress Information Security<br />
*Sam Stepanyan (Co-Leader) - OWASP London<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=243931WASC OWASP Web Application Firewall Evaluation Criteria Project2018-10-02T18:56:36Z<p>Tony Turner: /* Mailing List */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2017. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for post 3.0 release<br />
<br />
=Roadmap=<br />
<br />
===As of October 2018 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016-Fall 2018==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Winter 2018==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments <br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Spring 2019==<br />
<br />
*Pre-release/Beta<br />
<br />
==Summer 2019==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – Fortress Information Security<br />
*Sam Stepanyan (Co-Leader) - OWASP London<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=243930WASC OWASP Web Application Firewall Evaluation Criteria Project2018-10-02T18:55:15Z<p>Tony Turner: /* Winter 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2017. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2017<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016-Fall 2018==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Winter 2018==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments <br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Spring 2019==<br />
<br />
*Pre-release/Beta<br />
<br />
==Summer 2019==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – Fortress Information Security<br />
*Sam Stepanyan (Co-Leader) - OWASP London<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=Orlando&diff=221846Orlando2016-09-27T15:53:01Z<p>Tony Turner: /* OWASP Orlando Chapter Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Orlando|extra=The chapter was founded in August 2011 by Tony Turner and is currently led by [mailto:tony.turner@owasp.org Tony Turner] and [mailto:adrian.pastor@owasp.org Adrian Pastor].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-orlando|emailarchives=http://lists.owasp.org/pipermail/owasp-orlando}}<br />
<br />
==OWASP Orlando Officers==<br />
<br />
*Tony Turner - Chapter Leader and Chief Defender since 2011<br />
*Adrian Pastor - Chapter Co-Leader<br />
*Michael Felch - Chief Breaker<br />
*Jack Norman - Chief Builder<br />
*Willa Riggins - Marketing Coordinator and Prior Chapter Co-Leader 2012-2013<br />
<br />
==Past OWASP Orlando Officers==<br />
<br />
Jon Singer - Prior Chapter Co-Leader 2013-2015<br />
<br />
== Meeting Registration == <br />
<br />
Please register for our meetings at https://www.meetup.com/OWASP-Orlando<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
<br />
'''Thursday 09/29 Social Meeting'''<br />
<br />
On 09/29, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away some OWASP swag.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately, or as late as people want to stay.<br />
<br />
We look forward to seeing you.<br />
<br />
== Meeting History ==<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
'''Thursday 08/25 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
Advanced IDS Evasions Using Scapy - Sanders Diaz<br />
<br />
IDS Evasion has been a problem for Intrusion Detection since the technology's infancy. Even though new technologies like such as Intrusion Prevention Systems, Unified Threat management, and Next Generation firewalls have replaced the traditional IDS, while doing so they inherited its weaknesses to evasion. In 2010, StoneSoft conducted a BlackHat talk on the restated the relevance of Evasion techniques by introducing the Stacked IDS Evasion Technique. This technique combines prior known IDS evasion techniques and combines them simultaneously to successfully evade many class leading products like the Palo Alto, Fortigate, Cisco ASA, and others. Since then, the leading vendors have implemented fixes to stacked evasions in later generations of their platforms, but academic studies have proven stacked evasions still work, even if they are less effective. Furthermore, it is still possible to find outmoded devices both outside and inside the perimeter of organizations large and small. This talk aims to demonstrate the relevance of these techniques, offer instruction for the application of these techniques via scapy, and provide recommendations for how to cope with the problem.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
'''Thursday 07/28 Social Meeting'''<br />
<br />
''Note: this meeting was originally planned to be a presentation meeting but the speaker couldn't attend for personal reasons.''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 06/23 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by Darden Restaurants.<br />
<br />
Do AppSec Shortcuts Exist? - Greg Wolford<br />
<br />
As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to SANS, less than 26% of organizations have mandated, ongoing secure coding education programs. Do shortcuts exist for improving the state of your application security program? Are some programing languages inherently more secure than others? What should design teams look for before starting their projects?<br />
<br />
This session will provide tangible steps addressing these issues based on benchmark data from actual code-level analysis of trillions of lines of code from applications submitted to Veracode’s cloud-based platform. Attendees will hear tips organized by programing language that will aid in planning for new application development as well as prioritize assessment and remediation activities.<br />
<br />
Location Details<br><br />
Darden Restaurants<br><br />
1000 Darden Center Drive<br><br />
Orlando, FL 32837<br><br />
<br />
----<br />
<br />
'''Friday 05/13 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
XXE: The Anatomy of an XML Attack, by Mike Felch.<br />
<br />
With XML being such a popular yet misunderstood file format, it's gained a lot of momentum as an exciting target for attackers. By default, XML's rich design creates a unique attack surface in applications which can pose problems when trying to mitigate. This talk will focus on one attack using external entities (XXE), which is plaguing mature applications from corporations like SAP, IBM, and Cisco to web applications within Yahoo, Google, and Facebook.<br />
<br />
While XXE attacks are not extremely new, it seems to have gone unnoticed by most of the developers. Depending on the programming language and version, XML may enable the ability to use external entities by default which can create application specific attack primitives such as local file reads, denial of service, or unauthenticated remote code execution.<br />
<br />
This presentation will briefly look at XML and how XXE is implemented, examine some real world attack payloads which leverage XXE to compromise web environments, and what developers can do to secure their applications. After the presentation, a vulnerable XXE application will be provided for attendees to exploit.<br />
<br />
By the end of the meeting, attendees will have a much deeper appreciation for XML and the security risks that come with not understanding how programming languages implement the underlying technology.<br />
<br />
Bio: Mike Felch is a senior pentester and security researcher with 18 years experience in offensive security strategies. He holds no degree and no certifications, just raw experience.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Wednesday 04/13/2016 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
iOS Automation Primitives by Mikhail "Mike" Sosonkin, [https://www.synack.com/company/rd/ SYNACK]<br />
<br />
From the user’s perspective Android and iOS are not too dissimilar. One is cheaper than the other and pretty much everyone makes their apps for both types of phones. However, from the security testing perspective things are very different. Android is open and has lots of standard mechanisms to assist with testing. On the other hand, iOS is closed and requires lots of non standard methods for black box testing. The caveat is, of course, unless you own and control the build of the application but, that is not completely black box. If you do then you can use any number of tools: Appium, Apple UI Automation, etc.<br />
<br />
This talk will cover reasons for why we constrain ourselves to this type of testing as well as various tools and techniques for instrumenting iOS apps to do UI automation. Specifically, we are constrained to no source code and no way to make a special build. The jailbreak community has developed many of these building blocks that if used in concert can provide for a powerful testing automation framework. This talk will also demonstrate a reference implementation of an extensible tool that brings all the primitives together to automate the testing of iOS applications.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 02/18/2016 Social Meeting'''<br />
<br />
On 02/18, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
For more details or to join our Meetup community, check out http://www.meetup.com/OWASP-Orlando/events/228782867/<br />
<br />
----<br />
<br />
'''Monday 01/18/2016 Training Meeting'''<br />
<br />
The meeting on 01/18 will consist of a secure programming workshop which will be kindly delivered by Jim Manico. The workshop will start at noon, and end at 5 PM approximately.<br />
<br />
The location for our Jan 18 training meeting will be the following:<br />
<br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 01/07/2016 Social Meeting'''<br />
<br />
On 01/07, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
----<br />
<br />
'''2015 Meeting November 19'''<br />
<br />
If you are in Orlando on Thursday November 19th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll be conducting a roundtable style discussion of topics of interest such as:<br />
<br />
*Static vs Dynamic Testing (perhaps IAST too)<br />
*Web App Firewalls vs Runtime Application Security Protection vs fixing vulnerable code<br />
*Other topics - if you have one you'd like to see covered email the leaders<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''2015 Meeting October 29'''<br />
<br />
If you are in Orlando on Thursday October 29th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll have two amazing presentations on reverse-engineering Android applications and attacking cryptographic libraries.<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
Guest Speakers<br />
<br />
Reverse Engineering Android Applications for Pride and Glory - Ben Watson<br />
<br />
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs. <br />
<br />
Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.<br />
<br />
Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski<br />
<br />
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:<br />
<br />
*OpenCart's Encryption library (ECB mode, no MAC)<br><br />
*Tutanota's messaging app (CBC mode without a MAC)<br><br />
*Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)<br><br />
*Defuse Security's PHP Encryption Library (safe, for reasons I will explain)<br><br />
*Libsodium - crypto_box() (safe, for reasons I will explain)<br><br />
<br />
Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.<br />
<br />
----<br />
<br />
'''Q4 2014 Meeting November 12'''<br />
<br />
We will be holding our Q4 meeting on Wednesday, November 12th at The University of Central Florida, main campus.<br><br />
There is NO cost to attend. Refreshments and snacks are provided by HeroiSec. Location Provided by University of Central Florida.<br />
<br />
Guest Speakers<br />
<br />
Blog like a hacker - Vikram Dhillon<br><br />
People just entering information security have a tough path ahead to become established and well-known. One major tool that almost all well known security analysts have is a blog where they all reach out to their audience. Getting a blog on a popular CMS platform is easy and of course great and all but you can't show your own skills off. Enter Jekyll. A blog written from scratch up where you can show off your own development skills. Most developers are using their own styling along with various plugins combined in this Ruby-based tool to show off how they can blog like a hacker. This session will be a walkthrough of how to blog using jekyll. I will showcase what the finished project looks like, how to get started with one, the structure of the app and finally how to extend the blog you've created with your own imagination.<br />
<br />
Technological Telekinesis: Become One with the Force (aka Art, Gadgets and Tech) - Nathan Selikoff<br><br />
Witness how objects and digital worlds can be manipulated without any direct contact. You never see a Jedi with a keyboard or a touchscreen, do you? Why be tethered when you can freely express yourself? With a low-cost input device, a laptop, and a bit of programming know-how, you can capture a flick of the wrist or an all out dance routine. What you do from there is only limited by your imagination. Kinect yourself and Leap into the future! Nathan Selikoff is an artist and programmer who plays with interactivity and motion in time and space. Inspired by the behavior of systems, science, nature, and music, he combines computer code, traditional materials, and future technology to bring new ideas to life.<br />
<br />
Schedule<br />
<br />
6:00PM - 6:15 Arrive at UCF[[File:ORLMAP.png|right]]<br />
<br />
6:15 - 7:00 Blog like a hacker - Vikram Dhillon<br />
<br />
7:00 - 7:10 Short break for refreshments and questions<br />
<br />
7:10 - 7:55 Technological Telekinesis - Nathan Selikoff<br />
<br />
7:55 - 8:00 Questions and closing remarks<br />
<br />
8:00 - ? World of Beer social gathering (21+)<br />
<br />
Location Details<br><br />
UCF Teaching Academy[https://www.google.com/maps/place/Teaching+Academy]<br><br />
Room 117<br><br />
4221 Andromeda Loop N<br><br />
Orlando, FL 32816<br />
<br />
Parking Details<br><br />
Garage A<br><br />
University Blvd.<br />
<br />
----<br />
<br />
'''Q2 2014 May 12 Secure Coding Training'''<br />
<br />
We will be holding a midday 4 hour training on secure application development led by Jim Manico. This workshop is an abridged version of the following course:<br />
<br />
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.<br />
<br />
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls.<br />
<br />
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.<br />
<br />
Jim Manico is a member of the OWASP Board and currently manages many OWASP projects including the cheatsheet series. He also runs Manicode Security where he specializes in application security training<br />
<br />
Training location<br />
IST Partnership 2<br />
2nd Floor Room 208<br />
3100 Technology Parkway<br />
Orlando, FL 32826<br />
<br />
The parking lot will (most likely) be full <br />
<br />
You can also park across the street at:<br />
College of Nursing Address:<br />
12201 Research Parkway,<br />
Orlando, FL 32826<br />
<br />
----<br />
<br />
'''Q4 2013 October 30 Meeting'''<br />
<br />
OWASP Orlando is holding a social event for Q3/4 with complimentary wings and beer at Buffalo Wild Wings. We'd like to welcome you out to talk about web app security, upcoming events, Central FL infosec and other topics of note. There is no formal agenda, just show up, eat food, drink beer and hang out! We do have a limited budget for this event and expect we should have enough for the first couple hours, but if turn out is much greater than anticipated, or folks want to stay later we may have to switch to a non-free model at some point in the evening. Please register for this event so we can get an accurate account for who will be coming and an idea of cost.<br />
<br />
Topics of interest:<br />
<br />
• AppSecUSA conference in NYC (Nov 17-21)<br />
<br />
• B-Sides Orlando conference (April 5-6)<br />
<br />
• Chapter Outreach Opportunities (We recently presented for ISACA)<br />
<br />
• Other CFL Inosec groups (Some new groups, some old. We want to work with you!)<br />
<br />
• Cool projects you are working on<br />
<br />
• Beer<br />
<br />
There is NO cost to attend, but if you are interested in donating or joining the chapter please contact me at tony.turner@owasp.org<br />
<br />
We do not currently have sponsorship for this event, if you are interested please do not hesitate to contact us.<br />
<br />
http://goo.gl/N5TRrw<br />
<br />
----<br />
<br />
'''Q2 2013 Meeting June 26'''<br />
<br />
Our Q2 meeting for 2013 will be a bit of a change in pace. Due to chapter demand for more hands on content, we are holding a Web App Hacking Workshop. You will need to bring a laptop with VMware Workstation or Player (free) installed. We will provide the VM. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "Web App Hacking Workshop with Mutillidae" Facilitated by Tony Turner<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q1 2013 Meeting February 13'''<br />
<br />
We are kicking off Q1 of 2013 by going back to the basics. Chapter leadership will be delivering coverage of the OWASP Top 10, with examples and ways you can help reduce your exposure. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
We have also changed our venue to Cloudspace who have graciously allowed us to use their space. UCF Medical College, while a great facility was a bit far for some folks to drive so we hope this will work out better for everyone.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "OWASP Top 10" - Tony Turner and William Riggins<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q3 2012 Meeting September 12'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "An Insider's Look: WAF and Identity and Access Management Integration" - Jan Poczobutt, Director of Enterprise ADC & WAF Sales at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Don't Drop the SOAP: Real World Web Service Testing for Web Hackers" - Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.<br />
<br />
In this presentation Kevin Johnson will discuss the new security issues with web services and discuss an updated web service testing methodology released at defcon 19 last year that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and an open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques. <br />
<br />
*Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
Twitter: @secureideas<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q2 2012 Meeting May 15'''<br />
<br />
The theme for Q2 is Mobile Security<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "Practical Android Security" - Jack Mannino<br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Application Firewalling in the Age of Mobile: New Considerations" - Stephen Mak<br />
:With mobile application development on a rapid rise, it is important to understand the security risks associated with externally published APIs. This talk will discuss the similarities and differences of risks posed by browser-based web applications and mobile applications.<br />
<br />
*Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education. <br />
*Stephen Mak is the Product Manager for the Layer 7 SecureSpan Gateway, and has over 10 years product management experience in the enterprise application software industry. <br />
<br />
Refreshments will be provided at the event and have been donated by Fishnet Security.<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q1 2012 Meeting February 22'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "OWASP Where are we... Where are we going in 2012" - Tom Brennan<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "XSS Defense" - Jim Manico<br />
:This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.<br />
<br />
8:00 - ? After event social gathering - Cariera's<br />
<br />
*Tom Brennan is a Director at Spiderlabs/Trustwave, an OWASP Global Board Member and Chapter Leader for OWASP NY/NJ Metro. <br />
*Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. <br />
<br />
Refreshments donated by Security Innovation.<br />
<br />
University of Central Florida provided meeting space at the Medical College campus. <br />
<br />
----<br />
<br />
Inaugural Meeting October 19, 2011 6:30 PM at Seasons 52<br />
<br />
We will be holding our first meeting on October 19 for an informal gathering of those interested in the OWASP mission. This is a chance to get to know the other members of the chapter and engage in the initial dialogue that will drive the direction of the group. We want to know what kinds of technologies you use or are interested in learning about, the challenges you are facing in your daily work and get a sense for the types of content you want to see at future meetings. I will bring some copies of various OWASP guides and possibly some other OWASP shwag to this initial meeting. We will be covering the OWASP mission, culture, and a high level view of OWASP projects. The format for this meeting will largely be discussion oriented. This is not currently a sponsored event, but we do have interested parties asking about sponsorship opportunities so this may change.<br />
<br />
== Presentation Archive ==<br />
<br />
[https://www.owasp.org/images/a/a3/AppSec_Shortcuts.pdf Do AppSec Shortcuts Exist?] - Greg Wolford Q2 2016<br />
<br />
[https://www.owasp.org/images/3/30/XXE_-_The_Anatomy_of_an_XML_Attack_-_Mike_Felch.pdf XXE: The Anatomy of an XML Attack] - Mike Felch Q2 2016<br />
<br />
[https://www.owasp.org/images/3/3f/Owasporlandoapril132016-160414185141.pdf iOS Automation Primitives] - Mikhail "Mike" Sosonkin Q2 2016<br />
<br />
[https://www.owasp.org/images/3/3f/OWASP_Top_10_-_Deep_Dive_-_Code.pptx OWASP Top 10 with Code Examples] - Slides by Bill Riggins, Co-Presented with Tony Turner Orlando Q1 2013<br />
<br />
[https://owasp.org/images/e/ee/Orlando_OWASP_WAF_and_IAM_Integration_92012_v2.pptx Web Application Firewalls and Identity and Access Management Integration] - Jan Poscobutt Orlando Q3 2012<br />
<br />
[https://owasp.org/images/2/2e/Orlando_OWASP_-_RealWorldWebServiceTesting.pptx Don't Drop the Soap: Real World Web Service Testing for Web Hackers] - Kevin Johnson Orlando Q3 2012<br />
<br />
Practical Android Security - Jack Mannino Orlando Q2 2012<br />
<br />
[https://owasp.org/images/7/7f/OWASP_Orlando_20120515_App_Fw_age_of_mobile.pdf Application Firewalling in the Age of Mobile: New Considerations] - Stephen Mak Orlando Q2 2012<br />
<br />
[https://www.owasp.org/images/6/60/2012Whereweare..Wherearewegoing.pptx OWASP Where are we... Where are we going in 2012] - Tom Brennan Orlando Q1 2012<br />
<br />
[https://www.owasp.org/images/c/ce/Access_Control_Pitfalls_v1.1.pptx Access Control Pitfalls] - Jim Manico Orlando Q1 2012 (Optional 2nd talk not delivered at chapter meeting)<br />
<br />
[https://www.owasp.org/images/e/e8/XSS_Past_Present_and_Future_v2.pptx XSS Past Present and Future v2] - Jim Manico Orlando Q1 2012<br />
<br />
== Chapter Information ==<br />
<br />
OWASP Orlando is newly formed as of August 2011. The first meeting was held on October 19, 2011 and was designed largely as a social event to bring new members together. After this initial informal meeting we are continuing with quarterly meetings focused on content that attendees can apply within their own environments for minimal or no-cost to their organizations. We do not tolerate vendor-centric presentations but do encourage vendors to present as long as they can keep their marketing attempts to a minimum and focus on the underlying issues and technology. Typically we have 2 speakers with topics designed to meet the needs of the Builder, Breaker and Defender communities. As of April 2012 have continued to meet this commitment. Keep watching this space for announcements about upcoming events. If you are interested in being a speaker or taking a more active leadership role within the chapter, please contact the chapter leaders at the link above. Everyone is welcome to join us at our chapter meetings. We track membership based on participation at the mailing list linked on this page and this will be the primary means of communication for the chapter. We also have a Linkedin group at http://goo.gl/BB9fu <br />
<br />
== Supporters ==<br />
<br />
;[https://www.owasp.org/index.php/Membership For information on becoming a supporter and associated benefits]<br />
<br />
'''Organizational Supporters'''<br />
<br />
[[Image:symantec1.jpg|link=http://www.symantec.com/|Symantec Corporation - 2012]]<br />
<br />
----<br />
<br />
'''Chapter Supporters'''<br />
<br />
[[Image:cloudspace_logo.png|link=http://cloudspace.com/|Cloudspace Venue Sponsor - OWASP Orlando 2013]]<br />
<br />
----<br />
<br />
'''Single Meeting Supporters'''<br />
<br />
[[Image:Securityinnovation.png|link=http://www.securityinnovation.com/|Security Innovation - OWASP Orlando Q1 2012]]<br />
[[Image:Fishnetlogo.png|link=http://www.fishnetsecurity.com/|Fishnet Security - OWASP Orlando Q2 2012]]<br />
<br />
----<br />
<br />
'''Academic Supporters'''<br />
<br />
[[Image:Ucf_medcollege.png|link=http://med.ucf.edu/|UCF College of Medicine - OWASP Orlando Q1-Q2 2012]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Florida]]<br />
[[Category:Orlando]]<br />
[[Category:OWASP_Chapter]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=Orlando&diff=221845Orlando2016-09-27T15:52:21Z<p>Tony Turner: /* OWASP Orlando Chapter Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Orlando|extra=The chapter was founded in August 2011 by Tony Turner and is currently led by [mailto:tony.turner@owasp.org Tony Turner] and [mailto:adrian.pastor@owasp.org Adrian Pastor].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-orlando|emailarchives=http://lists.owasp.org/pipermail/owasp-orlando}}<br />
<br />
==OWASP Orlando Officers==<br />
<br />
*Tony Turner - Chapter Leader and Chief Defender since 2011<br />
*Adrian Pastor - Chapter Co-Leader<br />
*Michael Felch - Chief Breaker<br />
*Jack Norman - Chief Builder<br />
*Willa Riggins - Marketing Coordinator and Prior Chapter Co-Leader 2012-2013<br />
<br />
==Past OWASP Orlando Officers==<br />
<br />
Jon Singer - Prior Chapter Co-Leader 2013-2015<br />
<br />
== Meeting Registration == <br />
<br />
Please register for our meetings at https://www.meetup.com/OWASP-Orlando<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
<br />
'''Thursday 09/29 Social Meeting'''<br />
<br />
On 09/29, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away some OWASP swag.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately, or as late as people want to stay.<br />
<br />
We look forward to seeing you.<br />
<br />
== Meeting History ==<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
'''Thursday 07/28 Social Meeting'''<br />
<br />
''Note: this meeting was originally planned to be a presentation meeting but the speaker couldn't attend for personal reasons.''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 06/23 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by Darden Restaurants.<br />
<br />
Do AppSec Shortcuts Exist? - Greg Wolford<br />
<br />
As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to SANS, less than 26% of organizations have mandated, ongoing secure coding education programs. Do shortcuts exist for improving the state of your application security program? Are some programing languages inherently more secure than others? What should design teams look for before starting their projects?<br />
<br />
This session will provide tangible steps addressing these issues based on benchmark data from actual code-level analysis of trillions of lines of code from applications submitted to Veracode’s cloud-based platform. Attendees will hear tips organized by programing language that will aid in planning for new application development as well as prioritize assessment and remediation activities.<br />
<br />
Location Details<br><br />
Darden Restaurants<br><br />
1000 Darden Center Drive<br><br />
Orlando, FL 32837<br><br />
<br />
----<br />
<br />
'''Friday 05/13 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
XXE: The Anatomy of an XML Attack, by Mike Felch.<br />
<br />
With XML being such a popular yet misunderstood file format, it's gained a lot of momentum as an exciting target for attackers. By default, XML's rich design creates a unique attack surface in applications which can pose problems when trying to mitigate. This talk will focus on one attack using external entities (XXE), which is plaguing mature applications from corporations like SAP, IBM, and Cisco to web applications within Yahoo, Google, and Facebook.<br />
<br />
While XXE attacks are not extremely new, it seems to have gone unnoticed by most of the developers. Depending on the programming language and version, XML may enable the ability to use external entities by default which can create application specific attack primitives such as local file reads, denial of service, or unauthenticated remote code execution.<br />
<br />
This presentation will briefly look at XML and how XXE is implemented, examine some real world attack payloads which leverage XXE to compromise web environments, and what developers can do to secure their applications. After the presentation, a vulnerable XXE application will be provided for attendees to exploit.<br />
<br />
By the end of the meeting, attendees will have a much deeper appreciation for XML and the security risks that come with not understanding how programming languages implement the underlying technology.<br />
<br />
Bio: Mike Felch is a senior pentester and security researcher with 18 years experience in offensive security strategies. He holds no degree and no certifications, just raw experience.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Wednesday 04/13/2016 Presentation Meeting'''<br />
<br />
The meeting is free to attend and will take place from 5 to 7 PM. ''Free food and drinks will be provided!'' Meeting facilities will be kindly provided by HD Supply. Parking is free in the [https://goo.gl/maps/jgikdkWYB1D2 dirt lot] on the North side of Pine St.<br />
<br />
iOS Automation Primitives by Mikhail "Mike" Sosonkin, [https://www.synack.com/company/rd/ SYNACK]<br />
<br />
From the user’s perspective Android and iOS are not too dissimilar. One is cheaper than the other and pretty much everyone makes their apps for both types of phones. However, from the security testing perspective things are very different. Android is open and has lots of standard mechanisms to assist with testing. On the other hand, iOS is closed and requires lots of non standard methods for black box testing. The caveat is, of course, unless you own and control the build of the application but, that is not completely black box. If you do then you can use any number of tools: Appium, Apple UI Automation, etc.<br />
<br />
This talk will cover reasons for why we constrain ourselves to this type of testing as well as various tools and techniques for instrumenting iOS apps to do UI automation. Specifically, we are constrained to no source code and no way to make a special build. The jailbreak community has developed many of these building blocks that if used in concert can provide for a powerful testing automation framework. This talk will also demonstrate a reference implementation of an extensible tool that brings all the primitives together to automate the testing of iOS applications.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 02/18/2016 Social Meeting'''<br />
<br />
On 02/18, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
For more details or to join our Meetup community, check out http://www.meetup.com/OWASP-Orlando/events/228782867/<br />
<br />
----<br />
<br />
'''Monday 01/18/2016 Training Meeting'''<br />
<br />
The meeting on 01/18 will consist of a secure programming workshop which will be kindly delivered by Jim Manico. The workshop will start at noon, and end at 5 PM approximately.<br />
<br />
The location for our Jan 18 training meeting will be the following:<br />
<br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''Thursday 01/07/2016 Social Meeting'''<br />
<br />
On 01/07, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
----<br />
<br />
'''2015 Meeting November 19'''<br />
<br />
If you are in Orlando on Thursday November 19th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll be conducting a roundtable style discussion of topics of interest such as:<br />
<br />
*Static vs Dynamic Testing (perhaps IAST too)<br />
*Web App Firewalls vs Runtime Application Security Protection vs fixing vulnerable code<br />
*Other topics - if you have one you'd like to see covered email the leaders<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''2015 Meeting October 29'''<br />
<br />
If you are in Orlando on Thursday October 29th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll have two amazing presentations on reverse-engineering Android applications and attacking cryptographic libraries.<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
Guest Speakers<br />
<br />
Reverse Engineering Android Applications for Pride and Glory - Ben Watson<br />
<br />
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs. <br />
<br />
Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.<br />
<br />
Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski<br />
<br />
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:<br />
<br />
*OpenCart's Encryption library (ECB mode, no MAC)<br><br />
*Tutanota's messaging app (CBC mode without a MAC)<br><br />
*Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)<br><br />
*Defuse Security's PHP Encryption Library (safe, for reasons I will explain)<br><br />
*Libsodium - crypto_box() (safe, for reasons I will explain)<br><br />
<br />
Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.<br />
<br />
----<br />
<br />
'''Q4 2014 Meeting November 12'''<br />
<br />
We will be holding our Q4 meeting on Wednesday, November 12th at The University of Central Florida, main campus.<br><br />
There is NO cost to attend. Refreshments and snacks are provided by HeroiSec. Location Provided by University of Central Florida.<br />
<br />
Guest Speakers<br />
<br />
Blog like a hacker - Vikram Dhillon<br><br />
People just entering information security have a tough path ahead to become established and well-known. One major tool that almost all well known security analysts have is a blog where they all reach out to their audience. Getting a blog on a popular CMS platform is easy and of course great and all but you can't show your own skills off. Enter Jekyll. A blog written from scratch up where you can show off your own development skills. Most developers are using their own styling along with various plugins combined in this Ruby-based tool to show off how they can blog like a hacker. This session will be a walkthrough of how to blog using jekyll. I will showcase what the finished project looks like, how to get started with one, the structure of the app and finally how to extend the blog you've created with your own imagination.<br />
<br />
Technological Telekinesis: Become One with the Force (aka Art, Gadgets and Tech) - Nathan Selikoff<br><br />
Witness how objects and digital worlds can be manipulated without any direct contact. You never see a Jedi with a keyboard or a touchscreen, do you? Why be tethered when you can freely express yourself? With a low-cost input device, a laptop, and a bit of programming know-how, you can capture a flick of the wrist or an all out dance routine. What you do from there is only limited by your imagination. Kinect yourself and Leap into the future! Nathan Selikoff is an artist and programmer who plays with interactivity and motion in time and space. Inspired by the behavior of systems, science, nature, and music, he combines computer code, traditional materials, and future technology to bring new ideas to life.<br />
<br />
Schedule<br />
<br />
6:00PM - 6:15 Arrive at UCF[[File:ORLMAP.png|right]]<br />
<br />
6:15 - 7:00 Blog like a hacker - Vikram Dhillon<br />
<br />
7:00 - 7:10 Short break for refreshments and questions<br />
<br />
7:10 - 7:55 Technological Telekinesis - Nathan Selikoff<br />
<br />
7:55 - 8:00 Questions and closing remarks<br />
<br />
8:00 - ? World of Beer social gathering (21+)<br />
<br />
Location Details<br><br />
UCF Teaching Academy[https://www.google.com/maps/place/Teaching+Academy]<br><br />
Room 117<br><br />
4221 Andromeda Loop N<br><br />
Orlando, FL 32816<br />
<br />
Parking Details<br><br />
Garage A<br><br />
University Blvd.<br />
<br />
----<br />
<br />
'''Q2 2014 May 12 Secure Coding Training'''<br />
<br />
We will be holding a midday 4 hour training on secure application development led by Jim Manico. This workshop is an abridged version of the following course:<br />
<br />
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.<br />
<br />
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls.<br />
<br />
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.<br />
<br />
Jim Manico is a member of the OWASP Board and currently manages many OWASP projects including the cheatsheet series. He also runs Manicode Security where he specializes in application security training<br />
<br />
Training location<br />
IST Partnership 2<br />
2nd Floor Room 208<br />
3100 Technology Parkway<br />
Orlando, FL 32826<br />
<br />
The parking lot will (most likely) be full <br />
<br />
You can also park across the street at:<br />
College of Nursing Address:<br />
12201 Research Parkway,<br />
Orlando, FL 32826<br />
<br />
----<br />
<br />
'''Q4 2013 October 30 Meeting'''<br />
<br />
OWASP Orlando is holding a social event for Q3/4 with complimentary wings and beer at Buffalo Wild Wings. We'd like to welcome you out to talk about web app security, upcoming events, Central FL infosec and other topics of note. There is no formal agenda, just show up, eat food, drink beer and hang out! We do have a limited budget for this event and expect we should have enough for the first couple hours, but if turn out is much greater than anticipated, or folks want to stay later we may have to switch to a non-free model at some point in the evening. Please register for this event so we can get an accurate account for who will be coming and an idea of cost.<br />
<br />
Topics of interest:<br />
<br />
• AppSecUSA conference in NYC (Nov 17-21)<br />
<br />
• B-Sides Orlando conference (April 5-6)<br />
<br />
• Chapter Outreach Opportunities (We recently presented for ISACA)<br />
<br />
• Other CFL Inosec groups (Some new groups, some old. We want to work with you!)<br />
<br />
• Cool projects you are working on<br />
<br />
• Beer<br />
<br />
There is NO cost to attend, but if you are interested in donating or joining the chapter please contact me at tony.turner@owasp.org<br />
<br />
We do not currently have sponsorship for this event, if you are interested please do not hesitate to contact us.<br />
<br />
http://goo.gl/N5TRrw<br />
<br />
----<br />
<br />
'''Q2 2013 Meeting June 26'''<br />
<br />
Our Q2 meeting for 2013 will be a bit of a change in pace. Due to chapter demand for more hands on content, we are holding a Web App Hacking Workshop. You will need to bring a laptop with VMware Workstation or Player (free) installed. We will provide the VM. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "Web App Hacking Workshop with Mutillidae" Facilitated by Tony Turner<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q1 2013 Meeting February 13'''<br />
<br />
We are kicking off Q1 of 2013 by going back to the basics. Chapter leadership will be delivering coverage of the OWASP Top 10, with examples and ways you can help reduce your exposure. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
We have also changed our venue to Cloudspace who have graciously allowed us to use their space. UCF Medical College, while a great facility was a bit far for some folks to drive so we hope this will work out better for everyone.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "OWASP Top 10" - Tony Turner and William Riggins<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q3 2012 Meeting September 12'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "An Insider's Look: WAF and Identity and Access Management Integration" - Jan Poczobutt, Director of Enterprise ADC & WAF Sales at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Don't Drop the SOAP: Real World Web Service Testing for Web Hackers" - Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.<br />
<br />
In this presentation Kevin Johnson will discuss the new security issues with web services and discuss an updated web service testing methodology released at defcon 19 last year that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and an open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques. <br />
<br />
*Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
Twitter: @secureideas<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q2 2012 Meeting May 15'''<br />
<br />
The theme for Q2 is Mobile Security<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "Practical Android Security" - Jack Mannino<br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Application Firewalling in the Age of Mobile: New Considerations" - Stephen Mak<br />
:With mobile application development on a rapid rise, it is important to understand the security risks associated with externally published APIs. This talk will discuss the similarities and differences of risks posed by browser-based web applications and mobile applications.<br />
<br />
*Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education. <br />
*Stephen Mak is the Product Manager for the Layer 7 SecureSpan Gateway, and has over 10 years product management experience in the enterprise application software industry. <br />
<br />
Refreshments will be provided at the event and have been donated by Fishnet Security.<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q1 2012 Meeting February 22'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "OWASP Where are we... Where are we going in 2012" - Tom Brennan<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "XSS Defense" - Jim Manico<br />
:This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.<br />
<br />
8:00 - ? After event social gathering - Cariera's<br />
<br />
*Tom Brennan is a Director at Spiderlabs/Trustwave, an OWASP Global Board Member and Chapter Leader for OWASP NY/NJ Metro. <br />
*Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. <br />
<br />
Refreshments donated by Security Innovation.<br />
<br />
University of Central Florida provided meeting space at the Medical College campus. <br />
<br />
----<br />
<br />
Inaugural Meeting October 19, 2011 6:30 PM at Seasons 52<br />
<br />
We will be holding our first meeting on October 19 for an informal gathering of those interested in the OWASP mission. This is a chance to get to know the other members of the chapter and engage in the initial dialogue that will drive the direction of the group. We want to know what kinds of technologies you use or are interested in learning about, the challenges you are facing in your daily work and get a sense for the types of content you want to see at future meetings. I will bring some copies of various OWASP guides and possibly some other OWASP shwag to this initial meeting. We will be covering the OWASP mission, culture, and a high level view of OWASP projects. The format for this meeting will largely be discussion oriented. This is not currently a sponsored event, but we do have interested parties asking about sponsorship opportunities so this may change.<br />
<br />
== Presentation Archive ==<br />
<br />
[https://www.owasp.org/images/a/a3/AppSec_Shortcuts.pdf Do AppSec Shortcuts Exist?] - Greg Wolford Q2 2016<br />
<br />
[https://www.owasp.org/images/3/30/XXE_-_The_Anatomy_of_an_XML_Attack_-_Mike_Felch.pdf XXE: The Anatomy of an XML Attack] - Mike Felch Q2 2016<br />
<br />
[https://www.owasp.org/images/3/3f/Owasporlandoapril132016-160414185141.pdf iOS Automation Primitives] - Mikhail "Mike" Sosonkin Q2 2016<br />
<br />
[https://www.owasp.org/images/3/3f/OWASP_Top_10_-_Deep_Dive_-_Code.pptx OWASP Top 10 with Code Examples] - Slides by Bill Riggins, Co-Presented with Tony Turner Orlando Q1 2013<br />
<br />
[https://owasp.org/images/e/ee/Orlando_OWASP_WAF_and_IAM_Integration_92012_v2.pptx Web Application Firewalls and Identity and Access Management Integration] - Jan Poscobutt Orlando Q3 2012<br />
<br />
[https://owasp.org/images/2/2e/Orlando_OWASP_-_RealWorldWebServiceTesting.pptx Don't Drop the Soap: Real World Web Service Testing for Web Hackers] - Kevin Johnson Orlando Q3 2012<br />
<br />
Practical Android Security - Jack Mannino Orlando Q2 2012<br />
<br />
[https://owasp.org/images/7/7f/OWASP_Orlando_20120515_App_Fw_age_of_mobile.pdf Application Firewalling in the Age of Mobile: New Considerations] - Stephen Mak Orlando Q2 2012<br />
<br />
[https://www.owasp.org/images/6/60/2012Whereweare..Wherearewegoing.pptx OWASP Where are we... Where are we going in 2012] - Tom Brennan Orlando Q1 2012<br />
<br />
[https://www.owasp.org/images/c/ce/Access_Control_Pitfalls_v1.1.pptx Access Control Pitfalls] - Jim Manico Orlando Q1 2012 (Optional 2nd talk not delivered at chapter meeting)<br />
<br />
[https://www.owasp.org/images/e/e8/XSS_Past_Present_and_Future_v2.pptx XSS Past Present and Future v2] - Jim Manico Orlando Q1 2012<br />
<br />
== Chapter Information ==<br />
<br />
OWASP Orlando is newly formed as of August 2011. The first meeting was held on October 19, 2011 and was designed largely as a social event to bring new members together. After this initial informal meeting we are continuing with quarterly meetings focused on content that attendees can apply within their own environments for minimal or no-cost to their organizations. We do not tolerate vendor-centric presentations but do encourage vendors to present as long as they can keep their marketing attempts to a minimum and focus on the underlying issues and technology. Typically we have 2 speakers with topics designed to meet the needs of the Builder, Breaker and Defender communities. As of April 2012 have continued to meet this commitment. Keep watching this space for announcements about upcoming events. If you are interested in being a speaker or taking a more active leadership role within the chapter, please contact the chapter leaders at the link above. Everyone is welcome to join us at our chapter meetings. We track membership based on participation at the mailing list linked on this page and this will be the primary means of communication for the chapter. We also have a Linkedin group at http://goo.gl/BB9fu <br />
<br />
== Supporters ==<br />
<br />
;[https://www.owasp.org/index.php/Membership For information on becoming a supporter and associated benefits]<br />
<br />
'''Organizational Supporters'''<br />
<br />
[[Image:symantec1.jpg|link=http://www.symantec.com/|Symantec Corporation - 2012]]<br />
<br />
----<br />
<br />
'''Chapter Supporters'''<br />
<br />
[[Image:cloudspace_logo.png|link=http://cloudspace.com/|Cloudspace Venue Sponsor - OWASP Orlando 2013]]<br />
<br />
----<br />
<br />
'''Single Meeting Supporters'''<br />
<br />
[[Image:Securityinnovation.png|link=http://www.securityinnovation.com/|Security Innovation - OWASP Orlando Q1 2012]]<br />
[[Image:Fishnetlogo.png|link=http://www.fishnetsecurity.com/|Fishnet Security - OWASP Orlando Q2 2012]]<br />
<br />
----<br />
<br />
'''Academic Supporters'''<br />
<br />
[[Image:Ucf_medcollege.png|link=http://med.ucf.edu/|UCF College of Medicine - OWASP Orlando Q1-Q2 2012]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Florida]]<br />
[[Category:Orlando]]<br />
[[Category:OWASP_Chapter]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221144WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:50:29Z<p>Tony Turner: /* FAQ */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2017. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2017<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016==<br />
<br />
*<s>Period of Inactivity due to project team unavailability</s><br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments (Fall/Winter - AppSecUSA 2017 Project Summit Deliverable)<br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221142WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:46:52Z<p>Tony Turner: /* Fall 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016==<br />
<br />
*<s>Period of Inactivity due to project team unavailability</s><br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments (Fall/Winter - AppSecUSA 2017 Project Summit Deliverable)<br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221141WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:45:49Z<p>Tony Turner: /* Spring 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing</s><br />
*Conference presentation - delayed due to project team availability. Revisit in Q1 2017<br />
<br />
==Summer 2016==<br />
<br />
*<s>Period of Inactivity due to project team unavailability</s><br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments<br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221140WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:44:59Z<p>Tony Turner: /* Fall 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*<s>Period of Inactivity due to project team unavailability</s><br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments<br />
*New WAFEC sections:<br />
**Differences between WAFs and next-generation firewalls and intrusion prevention systems<br />
**Performance and reliability criteria<br />
**Anti-automation/anti-bot capabilities<br />
**Anti-fraud capabilities, credential theft<br />
**Threat intel/reputation capabilities<br />
**Hybrid and cloud deployment models (Diving into CDN technology would be useful)<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221139WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:40:43Z<p>Tony Turner: /* Summer 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*<s>Period of Inactivity due to project team unavailability</s><br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221138WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:38:26Z<p>Tony Turner: /* Winter 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments<br />
<br />
==Winter 2016==<br />
<br />
*Pre-release/Beta<br />
<br />
==Spring 2017==<br />
<br />
*Release 2.0<br />
*Revisit associated tools like Response Matrix<br />
*Begin 3.0 Planning<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221137WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:37:11Z<p>Tony Turner: /* Fall 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Fall 2016==<br />
<br />
*Socialize the project and upcoming release<br />
*Finalize 2.0 Comments<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221136WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:35:54Z<p>Tony Turner: /* Summer 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*Period of Inactivity due to project team unavailability<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221134WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:34:59Z<p>Tony Turner: /* Spring 2016 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0 - delayed until Q4<br />
<br />
'''3.0''' - see 3.0 notes<br />
<br />
*<s>Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation</s><br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221133WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:34:03Z<p>Tony Turner: /* Winter 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*<s>Complete 1st draft</s><br />
*<s>Plan for 2.0 release</s><br />
*Internal Testing - pushed until later phase<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
*<s>Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221132WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:32:55Z<p>Tony Turner: /* Winter 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*<s>Logo and design work</s><br />
*<s>Marketing strategy</s><br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
<br />
<br />
'''3.0''' - pushed until after 2.0 release<br />
<br />
<s>*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls</s><br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221131WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:31:21Z<p>Tony Turner: /* Fall 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*<s>Update existing sections in 2.0 to be relevant for 2015</s><br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=221130WASC OWASP Web Application Firewall Evaluation Criteria Project2016-09-08T18:29:15Z<p>Tony Turner: /* Fall 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=Orlando&diff=208521Orlando2016-02-11T18:45:27Z<p>Tony Turner: </p>
<hr />
<div>{{Chapter Template|chaptername=Orlando|extra=The chapter was founded in August 2011 by Tony Turner and is currently led by [mailto:tony.turner@owasp.org Tony Turner] and [mailto:adrian.pastor@owasp.org Adrian Pastor].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-orlando|emailarchives=http://lists.owasp.org/pipermail/owasp-orlando}}<br />
<br />
==OWASP Orlando Officers==<br />
<br />
*Tony Turner - Chapter Leader and Chief Defender since 2011<br />
*Adrian Pastor - Chapter Co-Leader<br />
*Michael Felch - Chief Breaker<br />
*Jack Norman - Chief Builder<br />
*Willa Riggins - Marketing Coordinator and Prior Chapter Co-Leader 2012-2013<br />
<br />
==Past OWASP Orlando Officers==<br />
<br />
Jon Singer - Prior Chapter Co-Leader 2013-2015<br />
<br />
== Meeting Registration == <br />
<br />
Please register for our meetings at https://www.meetup.com/OWASP-Orlando<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
'''Thursday 02/18 Social Meeting'''<br />
<br />
On 02/18, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
For more details or to join our Meetup community, check out http://www.meetup.com/OWASP-Orlando/events/228782867/<br />
<br />
<br />
== Meeting History ==<br />
<br />
'''Monday 01/18/2016 Training Meeting'''<br />
<br />
The meeting on 01/18 will consist of a secure programming workshop which will be kindly delivered by Jim Manico. The workshop will start at noon, and end at 5 PM approximately.<br />
<br />
The location for our Jan 18 training meeting will be the following:<br />
<br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
'''Thursday 01/07/2016 Social Meeting'''<br />
<br />
On 01/07, we’re having a social meeting to network, meet fellow OWASPers, and reach out to the central Florida developer community. In addition to free food and beverages, we’ll give away OWASP swag and books as trivia prizes.<br />
<br />
The location for our social meeting will be Downtown PourHouse, at 20 S Orange Ave, Orlando. We’ll meet from 5:30 PM to 8 PM approximately.<br />
<br />
'''2015 Meeting November 19'''<br />
<br />
If you are in Orlando on Thursday November 19th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll be conducting a roundtable style discussion of topics of interest such as:<br />
<br />
*Static vs Dynamic Testing (perhaps IAST too)<br />
*Web App Firewalls vs Runtime Application Security Protection vs fixing vulnerable code<br />
*Other topics - if you have one you'd like to see covered email the leaders<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
----<br />
<br />
'''2015 Meeting October 29'''<br />
<br />
If you are in Orlando on Thursday October 29th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll have two amazing presentations on reverse-engineering Android applications and attacking cryptographic libraries.<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
Guest Speakers<br />
<br />
Reverse Engineering Android Applications for Pride and Glory - Ben Watson<br />
<br />
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs. <br />
<br />
Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.<br />
<br />
Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski<br />
<br />
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:<br />
<br />
*OpenCart's Encryption library (ECB mode, no MAC)<br><br />
*Tutanota's messaging app (CBC mode without a MAC)<br><br />
*Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)<br><br />
*Defuse Security's PHP Encryption Library (safe, for reasons I will explain)<br><br />
*Libsodium - crypto_box() (safe, for reasons I will explain)<br><br />
<br />
Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.<br />
<br />
----<br />
<br />
'''Q4 2014 Meeting November 12'''<br />
<br />
We will be holding our Q4 meeting on Wednesday, November 12th at The University of Central Florida, main campus.<br><br />
There is NO cost to attend. Refreshments and snacks are provided by HeroiSec. Location Provided by University of Central Florida.<br />
<br />
Guest Speakers<br />
<br />
Blog like a hacker - Vikram Dhillon<br><br />
People just entering information security have a tough path ahead to become established and well-known. One major tool that almost all well known security analysts have is a blog where they all reach out to their audience. Getting a blog on a popular CMS platform is easy and of course great and all but you can't show your own skills off. Enter Jekyll. A blog written from scratch up where you can show off your own development skills. Most developers are using their own styling along with various plugins combined in this Ruby-based tool to show off how they can blog like a hacker. This session will be a walkthrough of how to blog using jekyll. I will showcase what the finished project looks like, how to get started with one, the structure of the app and finally how to extend the blog you've created with your own imagination.<br />
<br />
Technological Telekinesis: Become One with the Force (aka Art, Gadgets and Tech) - Nathan Selikoff<br><br />
Witness how objects and digital worlds can be manipulated without any direct contact. You never see a Jedi with a keyboard or a touchscreen, do you? Why be tethered when you can freely express yourself? With a low-cost input device, a laptop, and a bit of programming know-how, you can capture a flick of the wrist or an all out dance routine. What you do from there is only limited by your imagination. Kinect yourself and Leap into the future! Nathan Selikoff is an artist and programmer who plays with interactivity and motion in time and space. Inspired by the behavior of systems, science, nature, and music, he combines computer code, traditional materials, and future technology to bring new ideas to life.<br />
<br />
Schedule<br />
<br />
6:00PM - 6:15 Arrive at UCF[[File:ORLMAP.png|right]]<br />
<br />
6:15 - 7:00 Blog like a hacker - Vikram Dhillon<br />
<br />
7:00 - 7:10 Short break for refreshments and questions<br />
<br />
7:10 - 7:55 Technological Telekinesis - Nathan Selikoff<br />
<br />
7:55 - 8:00 Questions and closing remarks<br />
<br />
8:00 - ? World of Beer social gathering (21+)<br />
<br />
Location Details<br><br />
UCF Teaching Academy[https://www.google.com/maps/place/Teaching+Academy]<br><br />
Room 117<br><br />
4221 Andromeda Loop N<br><br />
Orlando, FL 32816<br />
<br />
Parking Details<br><br />
Garage A<br><br />
University Blvd.<br />
<br />
----<br />
<br />
'''Q2 2014 May 12 Secure Coding Training'''<br />
<br />
We will be holding a midday 4 hour training on secure application development led by Jim Manico. This workshop is an abridged version of the following course:<br />
<br />
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.<br />
<br />
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls.<br />
<br />
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.<br />
<br />
Jim Manico is a member of the OWASP Board and currently manages many OWASP projects including the cheatsheet series. He also runs Manicode Security where he specializes in application security training<br />
<br />
Training location<br />
IST Partnership 2<br />
2nd Floor Room 208<br />
3100 Technology Parkway<br />
Orlando, FL 32826<br />
<br />
The parking lot will (most likely) be full <br />
<br />
You can also park across the street at:<br />
College of Nursing Address:<br />
12201 Research Parkway,<br />
Orlando, FL 32826<br />
<br />
----<br />
<br />
'''Q4 2013 October 30 Meeting'''<br />
<br />
OWASP Orlando is holding a social event for Q3/4 with complimentary wings and beer at Buffalo Wild Wings. We'd like to welcome you out to talk about web app security, upcoming events, Central FL infosec and other topics of note. There is no formal agenda, just show up, eat food, drink beer and hang out! We do have a limited budget for this event and expect we should have enough for the first couple hours, but if turn out is much greater than anticipated, or folks want to stay later we may have to switch to a non-free model at some point in the evening. Please register for this event so we can get an accurate account for who will be coming and an idea of cost.<br />
<br />
Topics of interest:<br />
<br />
• AppSecUSA conference in NYC (Nov 17-21)<br />
<br />
• B-Sides Orlando conference (April 5-6)<br />
<br />
• Chapter Outreach Opportunities (We recently presented for ISACA)<br />
<br />
• Other CFL Inosec groups (Some new groups, some old. We want to work with you!)<br />
<br />
• Cool projects you are working on<br />
<br />
• Beer<br />
<br />
There is NO cost to attend, but if you are interested in donating or joining the chapter please contact me at tony.turner@owasp.org<br />
<br />
We do not currently have sponsorship for this event, if you are interested please do not hesitate to contact us.<br />
<br />
http://goo.gl/N5TRrw<br />
<br />
----<br />
<br />
'''Q2 2013 Meeting June 26'''<br />
<br />
Our Q2 meeting for 2013 will be a bit of a change in pace. Due to chapter demand for more hands on content, we are holding a Web App Hacking Workshop. You will need to bring a laptop with VMware Workstation or Player (free) installed. We will provide the VM. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "Web App Hacking Workshop with Mutillidae" Facilitated by Tony Turner<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q1 2013 Meeting February 13'''<br />
<br />
We are kicking off Q1 of 2013 by going back to the basics. Chapter leadership will be delivering coverage of the OWASP Top 10, with examples and ways you can help reduce your exposure. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
We have also changed our venue to Cloudspace who have graciously allowed us to use their space. UCF Medical College, while a great facility was a bit far for some folks to drive so we hope this will work out better for everyone.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "OWASP Top 10" - Tony Turner and William Riggins<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q3 2012 Meeting September 12'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "An Insider's Look: WAF and Identity and Access Management Integration" - Jan Poczobutt, Director of Enterprise ADC & WAF Sales at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Don't Drop the SOAP: Real World Web Service Testing for Web Hackers" - Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.<br />
<br />
In this presentation Kevin Johnson will discuss the new security issues with web services and discuss an updated web service testing methodology released at defcon 19 last year that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and an open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques. <br />
<br />
*Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
Twitter: @secureideas<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q2 2012 Meeting May 15'''<br />
<br />
The theme for Q2 is Mobile Security<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "Practical Android Security" - Jack Mannino<br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Application Firewalling in the Age of Mobile: New Considerations" - Stephen Mak<br />
:With mobile application development on a rapid rise, it is important to understand the security risks associated with externally published APIs. This talk will discuss the similarities and differences of risks posed by browser-based web applications and mobile applications.<br />
<br />
*Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education. <br />
*Stephen Mak is the Product Manager for the Layer 7 SecureSpan Gateway, and has over 10 years product management experience in the enterprise application software industry. <br />
<br />
Refreshments will be provided at the event and have been donated by Fishnet Security.<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q1 2012 Meeting February 22'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "OWASP Where are we... Where are we going in 2012" - Tom Brennan<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "XSS Defense" - Jim Manico<br />
:This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.<br />
<br />
8:00 - ? After event social gathering - Cariera's<br />
<br />
*Tom Brennan is a Director at Spiderlabs/Trustwave, an OWASP Global Board Member and Chapter Leader for OWASP NY/NJ Metro. <br />
*Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. <br />
<br />
Refreshments donated by Security Innovation.<br />
<br />
University of Central Florida provided meeting space at the Medical College campus. <br />
<br />
----<br />
<br />
Inaugural Meeting October 19, 2011 6:30 PM at Seasons 52<br />
<br />
We will be holding our first meeting on October 19 for an informal gathering of those interested in the OWASP mission. This is a chance to get to know the other members of the chapter and engage in the initial dialogue that will drive the direction of the group. We want to know what kinds of technologies you use or are interested in learning about, the challenges you are facing in your daily work and get a sense for the types of content you want to see at future meetings. I will bring some copies of various OWASP guides and possibly some other OWASP shwag to this initial meeting. We will be covering the OWASP mission, culture, and a high level view of OWASP projects. The format for this meeting will largely be discussion oriented. This is not currently a sponsored event, but we do have interested parties asking about sponsorship opportunities so this may change.<br />
<br />
== Presentation Archive ==<br />
<br />
[https://www.owasp.org/images/e/e8/XSS_Past_Present_and_Future_v2.pptx XSS Past Present and Future v2] - Jim Manico Orlando Q1 2012<br />
<br />
[https://www.owasp.org/images/c/ce/Access_Control_Pitfalls_v1.1.pptx Access Control Pitfalls] - Jim Manico Orlando Q1 2012 (Optional 2nd talk not delivered at chapter meeting)<br />
<br />
[https://www.owasp.org/images/6/60/2012Whereweare..Wherearewegoing.pptx OWASP Where are we... Where are we going in 2012] - Tom Brennan Orlando Q1 2012<br />
<br />
[https://owasp.org/images/7/7f/OWASP_Orlando_20120515_App_Fw_age_of_mobile.pdf Application Firewalling in the Age of Mobile: New Considerations] - Stephen Mak Orlando Q2 2012<br />
<br />
Practical Android Security - Jack Mannino Orlando Q2 2012<br />
<br />
[https://owasp.org/images/2/2e/Orlando_OWASP_-_RealWorldWebServiceTesting.pptx Don't Drop the Soap: Real World Web Service Testing for Web Hackers] - Kevin Johnson Orlando Q3 2012<br />
<br />
[https://owasp.org/images/e/ee/Orlando_OWASP_WAF_and_IAM_Integration_92012_v2.pptx Web Application Firewalls and Identity and Access Management Integration] - Jan Poscobutt Orlando Q3 2012<br />
<br />
[https://www.owasp.org/images/3/3f/OWASP_Top_10_-_Deep_Dive_-_Code.pptx OWASP Top 10 with Code Examples] - Slides by Bill Riggins, Co-Presented with Tony Turner Orlando Q1 2013<br />
<br />
== Chapter Information ==<br />
<br />
OWASP Orlando is newly formed as of August 2011. The first meeting was held on October 19, 2011 and was designed largely as a social event to bring new members together. After this initial informal meeting we are continuing with quarterly meetings focused on content that attendees can apply within their own environments for minimal or no-cost to their organizations. We do not tolerate vendor-centric presentations but do encourage vendors to present as long as they can keep their marketing attempts to a minimum and focus on the underlying issues and technology. Typically we have 2 speakers with topics designed to meet the needs of the Builder, Breaker and Defender communities. As of April 2012 have continued to meet this commitment. Keep watching this space for announcements about upcoming events. If you are interested in being a speaker or taking a more active leadership role within the chapter, please contact the chapter leaders at the link above. Everyone is welcome to join us at our chapter meetings. We track membership based on participation at the mailing list linked on this page and this will be the primary means of communication for the chapter. We also have a Linkedin group at http://goo.gl/BB9fu <br />
<br />
== Supporters ==<br />
<br />
;[https://www.owasp.org/index.php/Membership For information on becoming a supporter and associated benefits]<br />
<br />
'''Organizational Supporters'''<br />
<br />
[[Image:symantec1.jpg|link=http://www.symantec.com/|Symantec Corporation - 2012]]<br />
<br />
----<br />
<br />
'''Chapter Supporters'''<br />
<br />
[[Image:cloudspace_logo.png|link=http://cloudspace.com/|Cloudspace Venue Sponsor - OWASP Orlando 2013]]<br />
<br />
----<br />
<br />
'''Single Meeting Supporters'''<br />
<br />
[[Image:Securityinnovation.png|link=http://www.securityinnovation.com/|Security Innovation - OWASP Orlando Q1 2012]]<br />
[[Image:Fishnetlogo.png|link=http://www.fishnetsecurity.com/|Fishnet Security - OWASP Orlando Q2 2012]]<br />
<br />
----<br />
<br />
'''Academic Supporters'''<br />
<br />
[[Image:Ucf_medcollege.png|link=http://med.ucf.edu/|UCF College of Medicine - OWASP Orlando Q1-Q2 2012]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Florida]]<br />
[[Category:Orlando]]<br />
[[Category:OWASP_Chapter]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203942WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T17:10:15Z<p>Tony Turner: /* FAQ */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
'''5. Is WAFEC releasing 2.0 or 3.0 next?'''<br />
<br />
ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2016. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2016<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203941WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T17:07:30Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''v2.0 Contributors''' - 2012 effort<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''v2.0 Reviewers''' - 2012 effort<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''v1.0 Contributors'''<br />
<br />
*Robert Auger (SPI Dynamics)<br />
*Ryan C. Barnett (EDS)<br />
*Charlie Cano (F5)<br />
*Anton Chuvakin (netForensics)<br />
*Matthieu Estrade (Bee Ware)<br />
*Sagar Golla (Secureprise)<br />
*Jeremiah Grossman (WhiteHat Security)<br />
*Achim Hoffmann (Individual)<br />
*Amit Klein (Individual)<br />
*Mark Kraynak (Imperva)<br />
*Vidyaranya Maddi (Cisco Systems)<br />
*Ofer Maor (Hacktics)<br />
*Cyrill Osterwalder (Seclutions AG)<br />
*Sylvain Maret (e-Xpert Solutions)<br />
*Gunnar Peterson (Arctec Group)<br />
*Pradeep Pillai (Cisco Systems)<br />
*Kurt R. Roemer (NetContinuum)<br />
*Kenneth Salchow (F5)<br />
*Rafael San Miguel (daVinci Consulting)<br />
*Greg Smith (Citrix Systems)<br />
*David Movshovitz (F5)<br />
*Ivan Ristic (Thinking Stone) [Project Leader]<br />
*Ory Segal (Watchfire)<br />
*Ofer Shezaf (Breach Security)<br />
*Andrew Stern (F5)<br />
*Bob Walder (NSS Group)<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203940WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T17:01:26Z<p>Tony Turner: /* Project Team */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group''' - Newly formed as of 2015 reboot effort<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''Prior Contributors'''<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''Prior Reviewers'''<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203939WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T17:00:43Z<p>Tony Turner: /* Project Team */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''Prior Contributors'''<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
'''Prior Reviewers'''<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203938WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T17:00:26Z<p>Tony Turner: /* Project Team */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''Prior Contributors'''<br />
<br />
*Achim Hoffmann, sic[!]sec<br />
*Amichai Shulman, Imperva <br />
*Erwin Huber, Airlock (Ergon)<br />
*Mark Kraynak, Imperva<br />
*Ofer Shezaf, Project Lead<br />
*Ryan Barnett, Trustwave <br />
*Tal Beery, Imperva<br />
<br />
<br />
'''Prior Reviewers'''<br />
*Anshuman Singh, Barracuda Networks <br />
*Achim Hoffmann, sic[!]sec<br />
*Christian Heinrich , Individual Contributor <br />
*David DeSanto, NSS Labs <br />
*Ido Breger, F5 <br />
*Jason Leung, Mykonos, a Juniper Company<br />
*Klaubert Herr da Silveira <br />
*Julian Totzek, Deny All <br />
*Matthieu Estrade, Beeware <br />
*Or Katz, Individual Contributor<br />
*Ory Segal, Akamai<br />
*Paul Scott, Individual Contributor <br />
*Przemyslaw Skowron, Alior Bank<br />
*Rip, OWASP China <br />
*Robert Auger, Individual Contributor <br />
*Victor Pinenkov, Mykonos, a Juniper Company<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203937WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T16:52:50Z<p>Tony Turner: /* Project Team */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*VACANT (Co-Leader)<br />
<br />
'''Contributors'''<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203936WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T16:44:13Z<p>Tony Turner: /* Roadmap */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of November 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*<s>Conduct workshop at AppSecUSA 2015</s><br />
*<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document<br />
*<s>Reformat document for 3.0</s><br />
*Update existing sections in 2.0 to be relevant for 2015 - In progress<br />
<br />
==Winter 2015==<br />
<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
'''2.0'''<br />
<br />
*Complete 1st draft<br />
*Plan for 2.0 release<br />
*Internal Testing<br />
<br />
'''3.0'''<br />
<br />
*Create new document outline<br />
*Begin document re-work<br />
*Create framework for evaluating controls<br />
<br />
==Spring 2016==<br />
<br />
*Release 2.0<br />
<br />
'''3.0'''<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=203935WASC OWASP Web Application Firewall Evaluation Criteria Project2015-11-28T16:29:24Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
*Santiago Ingold<br />
*Jean Dogo<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
*Tin Zaw - Verizon<br />
*John Mcllwain - Cdnetworks<br />
*Ryan Barnett - Akamai<br />
*Ory Segal - Akamai<br />
*Vincent Maury - DenyAll<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=Orlando&diff=203386Orlando2015-11-14T15:35:26Z<p>Tony Turner: </p>
<hr />
<div>{{Chapter Template|chaptername=Orlando|extra=The chapter was founded in August 2011 by Tony Turner and is currently led by [mailto:tony.turner@owasp.org Tony Turner] and [mailto:adrian.pastor@owasp.org Adrian Pastor].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-orlando|emailarchives=http://lists.owasp.org/pipermail/owasp-orlando}}<br />
<br />
==OWASP Orlando Officers==<br />
<br />
*Tony Turner - Chapter Leader and Chief Defender since 2011<br />
*Adrian Pastor - Chapter Co-Leader<br />
*Michael Felch - Chief Breaker<br />
*Jack Norman - Chief Builder<br />
*Willa Riggins - Marketing Coordinator and Prior Chapter Co-Leader 2012-2013<br />
<br />
==Past OWASP Orlando Officers==<br />
<br />
Jon Singer - Prior Chapter Co-Leader 2013-2015<br />
<br />
== Meeting Registration == <br />
<br />
Please register for our meetings at http://www.meetup.com/OWASP-Orlando<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
<br />
'''2015 Meeting November 19'''<br />
<br />
If you are in Orlando on Thursday November 19th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll be conducting a roundtable style discussion of topics of interest such as:<br />
<br />
*Static vs Dynamic Testing (perhaps IAST too)<br />
*Web App Firewalls vs Runtime Application Security Protection vs fixing vulnerable code<br />
*Other topics - if you have one you'd like to see covered email the leaders<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
<br />
<br />
== Meeting History ==<br />
<br />
'''2015 Meeting October 29'''<br />
<br />
If you are in Orlando on Thursday October 29th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll have two amazing presentations on reverse-engineering Android applications and attacking cryptographic libraries.<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
Guest Speakers<br />
<br />
Reverse Engineering Android Applications for Pride and Glory - Ben Watson<br />
<br />
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs. <br />
<br />
Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.<br />
<br />
Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski<br />
<br />
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:<br />
<br />
*OpenCart's Encryption library (ECB mode, no MAC)<br><br />
*Tutanota's messaging app (CBC mode without a MAC)<br><br />
*Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)<br><br />
*Defuse Security's PHP Encryption Library (safe, for reasons I will explain)<br><br />
*Libsodium - crypto_box() (safe, for reasons I will explain)<br><br />
<br />
Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.<br />
<br />
'''Q4 2014 Meeting November 12'''<br />
<br />
We will be holding our Q4 meeting on Wednesday, November 12th at The University of Central Florida, main campus.<br><br />
There is NO cost to attend. Refreshments and snacks are provided by HeroiSec. Location Provided by University of Central Florida.<br />
<br />
Guest Speakers<br />
<br />
Blog like a hacker - Vikram Dhillon<br><br />
People just entering information security have a tough path ahead to become established and well-known. One major tool that almost all well known security analysts have is a blog where they all reach out to their audience. Getting a blog on a popular CMS platform is easy and of course great and all but you can't show your own skills off. Enter Jekyll. A blog written from scratch up where you can show off your own development skills. Most developers are using their own styling along with various plugins combined in this Ruby-based tool to show off how they can blog like a hacker. This session will be a walkthrough of how to blog using jekyll. I will showcase what the finished project looks like, how to get started with one, the structure of the app and finally how to extend the blog you've created with your own imagination.<br />
<br />
Technological Telekinesis: Become One with the Force (aka Art, Gadgets and Tech) - Nathan Selikoff<br><br />
Witness how objects and digital worlds can be manipulated without any direct contact. You never see a Jedi with a keyboard or a touchscreen, do you? Why be tethered when you can freely express yourself? With a low-cost input device, a laptop, and a bit of programming know-how, you can capture a flick of the wrist or an all out dance routine. What you do from there is only limited by your imagination. Kinect yourself and Leap into the future! Nathan Selikoff is an artist and programmer who plays with interactivity and motion in time and space. Inspired by the behavior of systems, science, nature, and music, he combines computer code, traditional materials, and future technology to bring new ideas to life.<br />
<br />
Schedule<br />
<br />
6:00PM - 6:15 Arrive at UCF[[File:ORLMAP.png|right]]<br />
<br />
6:15 - 7:00 Blog like a hacker - Vikram Dhillon<br />
<br />
7:00 - 7:10 Short break for refreshments and questions<br />
<br />
7:10 - 7:55 Technological Telekinesis - Nathan Selikoff<br />
<br />
7:55 - 8:00 Questions and closing remarks<br />
<br />
8:00 - ? World of Beer social gathering (21+)<br />
<br />
Location Details<br><br />
UCF Teaching Academy[https://www.google.com/maps/place/Teaching+Academy]<br><br />
Room 117<br><br />
4221 Andromeda Loop N<br><br />
Orlando, FL 32816<br />
<br />
Parking Details<br><br />
Garage A<br><br />
University Blvd.<br />
<br />
----<br />
<br />
'''Q2 2014 May 12 Secure Coding Training'''<br />
<br />
We will be holding a midday 4 hour training on secure application development led by Jim Manico. This workshop is an abridged version of the following course:<br />
<br />
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.<br />
<br />
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls.<br />
<br />
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.<br />
<br />
Jim Manico is a member of the OWASP Board and currently manages many OWASP projects including the cheatsheet series. He also runs Manicode Security where he specializes in application security training<br />
<br />
Training location<br />
IST Partnership 2<br />
2nd Floor Room 208<br />
3100 Technology Parkway<br />
Orlando, FL 32826<br />
<br />
The parking lot will (most likely) be full <br />
<br />
You can also park across the street at:<br />
College of Nursing Address:<br />
12201 Research Parkway,<br />
Orlando, FL 32826<br />
<br />
----<br />
<br />
'''Q4 2013 October 30 Meeting'''<br />
<br />
OWASP Orlando is holding a social event for Q3/4 with complimentary wings and beer at Buffalo Wild Wings. We'd like to welcome you out to talk about web app security, upcoming events, Central FL infosec and other topics of note. There is no formal agenda, just show up, eat food, drink beer and hang out! We do have a limited budget for this event and expect we should have enough for the first couple hours, but if turn out is much greater than anticipated, or folks want to stay later we may have to switch to a non-free model at some point in the evening. Please register for this event so we can get an accurate account for who will be coming and an idea of cost.<br />
<br />
Topics of interest:<br />
<br />
• AppSecUSA conference in NYC (Nov 17-21)<br />
<br />
• B-Sides Orlando conference (April 5-6)<br />
<br />
• Chapter Outreach Opportunities (We recently presented for ISACA)<br />
<br />
• Other CFL Inosec groups (Some new groups, some old. We want to work with you!)<br />
<br />
• Cool projects you are working on<br />
<br />
• Beer<br />
<br />
There is NO cost to attend, but if you are interested in donating or joining the chapter please contact me at tony.turner@owasp.org<br />
<br />
We do not currently have sponsorship for this event, if you are interested please do not hesitate to contact us.<br />
<br />
http://goo.gl/N5TRrw<br />
<br />
----<br />
<br />
'''Q2 2013 Meeting June 26'''<br />
<br />
Our Q2 meeting for 2013 will be a bit of a change in pace. Due to chapter demand for more hands on content, we are holding a Web App Hacking Workshop. You will need to bring a laptop with VMware Workstation or Player (free) installed. We will provide the VM. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "Web App Hacking Workshop with Mutillidae" Facilitated by Tony Turner<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q1 2013 Meeting February 13'''<br />
<br />
We are kicking off Q1 of 2013 by going back to the basics. Chapter leadership will be delivering coverage of the OWASP Top 10, with examples and ways you can help reduce your exposure. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
We have also changed our venue to Cloudspace who have graciously allowed us to use their space. UCF Medical College, while a great facility was a bit far for some folks to drive so we hope this will work out better for everyone.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "OWASP Top 10" - Tony Turner and William Riggins<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q3 2012 Meeting September 12'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "An Insider's Look: WAF and Identity and Access Management Integration" - Jan Poczobutt, Director of Enterprise ADC & WAF Sales at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Don't Drop the SOAP: Real World Web Service Testing for Web Hackers" - Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.<br />
<br />
In this presentation Kevin Johnson will discuss the new security issues with web services and discuss an updated web service testing methodology released at defcon 19 last year that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and an open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques. <br />
<br />
*Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
Twitter: @secureideas<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q2 2012 Meeting May 15'''<br />
<br />
The theme for Q2 is Mobile Security<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "Practical Android Security" - Jack Mannino<br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Application Firewalling in the Age of Mobile: New Considerations" - Stephen Mak<br />
:With mobile application development on a rapid rise, it is important to understand the security risks associated with externally published APIs. This talk will discuss the similarities and differences of risks posed by browser-based web applications and mobile applications.<br />
<br />
*Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education. <br />
*Stephen Mak is the Product Manager for the Layer 7 SecureSpan Gateway, and has over 10 years product management experience in the enterprise application software industry. <br />
<br />
Refreshments will be provided at the event and have been donated by Fishnet Security.<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q1 2012 Meeting February 22'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "OWASP Where are we... Where are we going in 2012" - Tom Brennan<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "XSS Defense" - Jim Manico<br />
:This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.<br />
<br />
8:00 - ? After event social gathering - Cariera's<br />
<br />
*Tom Brennan is a Director at Spiderlabs/Trustwave, an OWASP Global Board Member and Chapter Leader for OWASP NY/NJ Metro. <br />
*Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. <br />
<br />
Refreshments donated by Security Innovation.<br />
<br />
University of Central Florida provided meeting space at the Medical College campus. <br />
<br />
----<br />
<br />
Inaugural Meeting October 19, 2011 6:30 PM at Seasons 52<br />
<br />
We will be holding our first meeting on October 19 for an informal gathering of those interested in the OWASP mission. This is a chance to get to know the other members of the chapter and engage in the initial dialogue that will drive the direction of the group. We want to know what kinds of technologies you use or are interested in learning about, the challenges you are facing in your daily work and get a sense for the types of content you want to see at future meetings. I will bring some copies of various OWASP guides and possibly some other OWASP shwag to this initial meeting. We will be covering the OWASP mission, culture, and a high level view of OWASP projects. The format for this meeting will largely be discussion oriented. This is not currently a sponsored event, but we do have interested parties asking about sponsorship opportunities so this may change.<br />
<br />
== Presentation Archive ==<br />
<br />
[https://www.owasp.org/images/e/e8/XSS_Past_Present_and_Future_v2.pptx XSS Past Present and Future v2] - Jim Manico Orlando Q1 2012<br />
<br />
[https://www.owasp.org/images/c/ce/Access_Control_Pitfalls_v1.1.pptx Access Control Pitfalls] - Jim Manico Orlando Q1 2012 (Optional 2nd talk not delivered at chapter meeting)<br />
<br />
[https://www.owasp.org/images/6/60/2012Whereweare..Wherearewegoing.pptx OWASP Where are we... Where are we going in 2012] - Tom Brennan Orlando Q1 2012<br />
<br />
[https://owasp.org/images/7/7f/OWASP_Orlando_20120515_App_Fw_age_of_mobile.pdf Application Firewalling in the Age of Mobile: New Considerations] - Stephen Mak Orlando Q2 2012<br />
<br />
Practical Android Security - Jack Mannino Orlando Q2 2012<br />
<br />
[https://owasp.org/images/2/2e/Orlando_OWASP_-_RealWorldWebServiceTesting.pptx Don't Drop the Soap: Real World Web Service Testing for Web Hackers] - Kevin Johnson Orlando Q3 2012<br />
<br />
[https://owasp.org/images/e/ee/Orlando_OWASP_WAF_and_IAM_Integration_92012_v2.pptx Web Application Firewalls and Identity and Access Management Integration] - Jan Poscobutt Orlando Q3 2012<br />
<br />
[https://www.owasp.org/images/3/3f/OWASP_Top_10_-_Deep_Dive_-_Code.pptx OWASP Top 10 with Code Examples] - Slides by Bill Riggins, Co-Presented with Tony Turner Orlando Q1 2013<br />
<br />
== Chapter Information ==<br />
<br />
OWASP Orlando is newly formed as of August 2011. The first meeting was held on October 19, 2011 and was designed largely as a social event to bring new members together. After this initial informal meeting we are continuing with quarterly meetings focused on content that attendees can apply within their own environments for minimal or no-cost to their organizations. We do not tolerate vendor-centric presentations but do encourage vendors to present as long as they can keep their marketing attempts to a minimum and focus on the underlying issues and technology. Typically we have 2 speakers with topics designed to meet the needs of the Builder, Breaker and Defender communities. As of April 2012 have continued to meet this commitment. Keep watching this space for announcements about upcoming events. If you are interested in being a speaker or taking a more active leadership role within the chapter, please contact the chapter leaders at the link above. Everyone is welcome to join us at our chapter meetings. We track membership based on participation at the mailing list linked on this page and this will be the primary means of communication for the chapter. We also have a Linkedin group at http://goo.gl/BB9fu <br />
<br />
== Supporters ==<br />
<br />
;[https://www.owasp.org/index.php/Membership For information on becoming a supporter and associated benefits]<br />
<br />
'''Organizational Supporters'''<br />
<br />
[[Image:symantec1.jpg|link=http://www.symantec.com/|Symantec Corporation - 2012]]<br />
<br />
----<br />
<br />
'''Chapter Supporters'''<br />
<br />
[[Image:cloudspace_logo.png|link=http://cloudspace.com/|Cloudspace Venue Sponsor - OWASP Orlando 2013]]<br />
<br />
----<br />
<br />
'''Single Meeting Supporters'''<br />
<br />
[[Image:Securityinnovation.png|link=http://www.securityinnovation.com/|Security Innovation - OWASP Orlando Q1 2012]]<br />
[[Image:Fishnetlogo.png|link=http://www.fishnetsecurity.com/|Fishnet Security - OWASP Orlando Q2 2012]]<br />
<br />
----<br />
<br />
'''Academic Supporters'''<br />
<br />
[[Image:Ucf_medcollege.png|link=http://med.ucf.edu/|UCF College of Medicine - OWASP Orlando Q1-Q2 2012]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Florida]]<br />
[[Category:Orlando]]<br />
[[Category:OWASP_Chapter]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=Orlando&diff=202657Orlando2015-10-26T15:47:02Z<p>Tony Turner: </p>
<hr />
<div>{{Chapter Template|chaptername=Orlando|extra=The chapter was founded in August 2011 by Tony Turner and is currently led by [mailto:tony.turner@owasp.org Tony Turner] and Adrian Pastor.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-orlando|emailarchives=http://lists.owasp.org/pipermail/owasp-orlando}}<br />
<br />
==OWASP Orlando Officers==<br />
<br />
*Tony Turner - Chapter Leader and Chief Defender since 2011<br />
*Adrian Pastor - Chapter Co-Leader<br />
*Michael Felch - Chief Breaker<br />
*Jack Norman - Chief Builder<br />
*Willa Riggins - Marketing Coordinator and Prior Chapter Co-Leader 2012-2013<br />
<br />
==Past OWASP Orlando Officers==<br />
<br />
Jon Singer - Prior Chapter Co-Leader 2013-2015<br />
<br />
== Meeting Registration == <br />
<br />
Please register for our meetings at http://www.meetup.com/OWASP-Orlando<br />
<br />
== OWASP Orlando Chapter Meetings ==<br />
'''2015 Meeting October 29'''<br />
<br />
If you are in Orlando on Thursday October 29th, please join us at the next OWASP Orlando chapter meeting. ''Free food and drinks will be provided!'' We'll have two amazing presenters – the details for one of the presentations will be added shortly to this wiki.<br />
<br />
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.<br />
<br />
Location Details<br><br />
HD Supply[https://goo.gl/maps/HEsWx3JWuLw]<br><br />
501 W Church St<br><br />
Orlando, FL<br><br />
<br />
Guest Speakers<br />
<br />
Reverse Engineering Android Applications for Pride and Glory - Ben Watson<br />
<br />
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs. <br />
<br />
Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.<br />
<br />
Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski<br />
<br />
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:<br />
<br />
*OpenCart's Encryption library (ECB mode, no MAC)<br><br />
*Tutanota's messaging app (CBC mode without a MAC)<br><br />
*Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)<br><br />
*Defuse Security's PHP Encryption Library (safe, for reasons I will explain)<br><br />
*Libsodium - crypto_box() (safe, for reasons I will explain)<br><br />
<br />
Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.<br />
<br />
== Meeting History ==<br />
<br />
'''Q4 2014 Meeting November 12'''<br />
<br />
We will be holding our Q4 meeting on Wednesday, November 12th at The University of Central Florida, main campus.<br><br />
There is NO cost to attend. Refreshments and snacks are provided by HeroiSec. Location Provided by University of Central Florida.<br />
<br />
Guest Speakers<br />
<br />
Blog like a hacker - Vikram Dhillon<br><br />
People just entering information security have a tough path ahead to become established and well-known. One major tool that almost all well known security analysts have is a blog where they all reach out to their audience. Getting a blog on a popular CMS platform is easy and of course great and all but you can't show your own skills off. Enter Jekyll. A blog written from scratch up where you can show off your own development skills. Most developers are using their own styling along with various plugins combined in this Ruby-based tool to show off how they can blog like a hacker. This session will be a walkthrough of how to blog using jekyll. I will showcase what the finished project looks like, how to get started with one, the structure of the app and finally how to extend the blog you've created with your own imagination.<br />
<br />
Technological Telekinesis: Become One with the Force (aka Art, Gadgets and Tech) - Nathan Selikoff<br><br />
Witness how objects and digital worlds can be manipulated without any direct contact. You never see a Jedi with a keyboard or a touchscreen, do you? Why be tethered when you can freely express yourself? With a low-cost input device, a laptop, and a bit of programming know-how, you can capture a flick of the wrist or an all out dance routine. What you do from there is only limited by your imagination. Kinect yourself and Leap into the future! Nathan Selikoff is an artist and programmer who plays with interactivity and motion in time and space. Inspired by the behavior of systems, science, nature, and music, he combines computer code, traditional materials, and future technology to bring new ideas to life.<br />
<br />
Schedule<br />
<br />
6:00PM - 6:15 Arrive at UCF[[File:ORLMAP.png|right]]<br />
<br />
6:15 - 7:00 Blog like a hacker - Vikram Dhillon<br />
<br />
7:00 - 7:10 Short break for refreshments and questions<br />
<br />
7:10 - 7:55 Technological Telekinesis - Nathan Selikoff<br />
<br />
7:55 - 8:00 Questions and closing remarks<br />
<br />
8:00 - ? World of Beer social gathering (21+)<br />
<br />
Location Details<br><br />
UCF Teaching Academy[https://www.google.com/maps/place/Teaching+Academy]<br><br />
Room 117<br><br />
4221 Andromeda Loop N<br><br />
Orlando, FL 32816<br />
<br />
Parking Details<br><br />
Garage A<br><br />
University Blvd.<br />
<br />
----<br />
<br />
'''Q2 2014 May 12 Secure Coding Training'''<br />
<br />
We will be holding a midday 4 hour training on secure application development led by Jim Manico. This workshop is an abridged version of the following course:<br />
<br />
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.<br />
<br />
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls.<br />
<br />
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.<br />
<br />
Jim Manico is a member of the OWASP Board and currently manages many OWASP projects including the cheatsheet series. He also runs Manicode Security where he specializes in application security training<br />
<br />
Training location<br />
IST Partnership 2<br />
2nd Floor Room 208<br />
3100 Technology Parkway<br />
Orlando, FL 32826<br />
<br />
The parking lot will (most likely) be full <br />
<br />
You can also park across the street at:<br />
College of Nursing Address:<br />
12201 Research Parkway,<br />
Orlando, FL 32826<br />
<br />
----<br />
<br />
'''Q4 2013 October 30 Meeting'''<br />
<br />
OWASP Orlando is holding a social event for Q3/4 with complimentary wings and beer at Buffalo Wild Wings. We'd like to welcome you out to talk about web app security, upcoming events, Central FL infosec and other topics of note. There is no formal agenda, just show up, eat food, drink beer and hang out! We do have a limited budget for this event and expect we should have enough for the first couple hours, but if turn out is much greater than anticipated, or folks want to stay later we may have to switch to a non-free model at some point in the evening. Please register for this event so we can get an accurate account for who will be coming and an idea of cost.<br />
<br />
Topics of interest:<br />
<br />
• AppSecUSA conference in NYC (Nov 17-21)<br />
<br />
• B-Sides Orlando conference (April 5-6)<br />
<br />
• Chapter Outreach Opportunities (We recently presented for ISACA)<br />
<br />
• Other CFL Inosec groups (Some new groups, some old. We want to work with you!)<br />
<br />
• Cool projects you are working on<br />
<br />
• Beer<br />
<br />
There is NO cost to attend, but if you are interested in donating or joining the chapter please contact me at tony.turner@owasp.org<br />
<br />
We do not currently have sponsorship for this event, if you are interested please do not hesitate to contact us.<br />
<br />
http://goo.gl/N5TRrw<br />
<br />
----<br />
<br />
'''Q2 2013 Meeting June 26'''<br />
<br />
Our Q2 meeting for 2013 will be a bit of a change in pace. Due to chapter demand for more hands on content, we are holding a Web App Hacking Workshop. You will need to bring a laptop with VMware Workstation or Player (free) installed. We will provide the VM. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "Web App Hacking Workshop with Mutillidae" Facilitated by Tony Turner<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q1 2013 Meeting February 13'''<br />
<br />
We are kicking off Q1 of 2013 by going back to the basics. Chapter leadership will be delivering coverage of the OWASP Top 10, with examples and ways you can help reduce your exposure. As always we will have our AppSec Trivia Contest and we have some OWASP hardcopy books for Testing Guide, Code Review Guide and Top 10 to give away as prizes.<br />
<br />
We have also changed our venue to Cloudspace who have graciously allowed us to use their space. UCF Medical College, while a great facility was a bit far for some folks to drive so we hope this will work out better for everyone.<br />
<br />
6:15 - 6:30 Arrive at Cloudspace (see below)<br />
<br />
6:30 - 6:45 Welcome and Opening Remarks<br />
<br />
6:45 - 8:00 "OWASP Top 10" - Tony Turner and William Riggins<br />
<br />
8:00 - ? After event social gathering - Location TBD<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
Cloudspace (near UCF Main campus)<br />
11551 University Blvd Suite 2<br />
Orlando, FL 32817<br />
http://goo.gl/45l1b<br />
<br />
----<br />
<br />
'''Q3 2012 Meeting September 12'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "An Insider's Look: WAF and Identity and Access Management Integration" - Jan Poczobutt, Director of Enterprise ADC & WAF Sales at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Don't Drop the SOAP: Real World Web Service Testing for Web Hackers" - Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.<br />
<br />
In this presentation Kevin Johnson will discuss the new security issues with web services and discuss an updated web service testing methodology released at defcon 19 last year that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and an open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques. <br />
<br />
*Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
Twitter: @secureideas<br />
<br />
We do not currently have a sponsor for this event but refreshments will be provided. If you are interested in sponsoring please contact tony.turner@owasp.org<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q2 2012 Meeting May 15'''<br />
<br />
The theme for Q2 is Mobile Security<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "Practical Android Security" - Jack Mannino<br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "Application Firewalling in the Age of Mobile: New Considerations" - Stephen Mak<br />
:With mobile application development on a rapid rise, it is important to understand the security risks associated with externally published APIs. This talk will discuss the similarities and differences of risks posed by browser-based web applications and mobile applications.<br />
<br />
*Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education. <br />
*Stephen Mak is the Product Manager for the Layer 7 SecureSpan Gateway, and has over 10 years product management experience in the enterprise application software industry. <br />
<br />
Refreshments will be provided at the event and have been donated by Fishnet Security.<br />
<br />
University of Central Florida has graciously agreed to provide meeting space at the Medical College campus.<br />
<br />
----<br />
<br />
'''Q1 2012 Meeting February 22'''<br />
<br />
5:45 - 6:00 Arrive<br />
<br />
6:00 - 6:15 Welcome and Opening Remarks / Appsec Trivia<br />
<br />
6:15 - 7:00 "OWASP Where are we... Where are we going in 2012" - Tom Brennan<br />
<br />
7:00 - 7:15 Break<br />
<br />
7:15 - 8:00 "XSS Defense" - Jim Manico<br />
:This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.<br />
<br />
8:00 - ? After event social gathering - Cariera's<br />
<br />
*Tom Brennan is a Director at Spiderlabs/Trustwave, an OWASP Global Board Member and Chapter Leader for OWASP NY/NJ Metro. <br />
*Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. <br />
<br />
Refreshments donated by Security Innovation.<br />
<br />
University of Central Florida provided meeting space at the Medical College campus. <br />
<br />
----<br />
<br />
Inaugural Meeting October 19, 2011 6:30 PM at Seasons 52<br />
<br />
We will be holding our first meeting on October 19 for an informal gathering of those interested in the OWASP mission. This is a chance to get to know the other members of the chapter and engage in the initial dialogue that will drive the direction of the group. We want to know what kinds of technologies you use or are interested in learning about, the challenges you are facing in your daily work and get a sense for the types of content you want to see at future meetings. I will bring some copies of various OWASP guides and possibly some other OWASP shwag to this initial meeting. We will be covering the OWASP mission, culture, and a high level view of OWASP projects. The format for this meeting will largely be discussion oriented. This is not currently a sponsored event, but we do have interested parties asking about sponsorship opportunities so this may change.<br />
<br />
== Presentation Archive ==<br />
<br />
[https://www.owasp.org/images/e/e8/XSS_Past_Present_and_Future_v2.pptx XSS Past Present and Future v2] - Jim Manico Orlando Q1 2012<br />
<br />
[https://www.owasp.org/images/c/ce/Access_Control_Pitfalls_v1.1.pptx Access Control Pitfalls] - Jim Manico Orlando Q1 2012 (Optional 2nd talk not delivered at chapter meeting)<br />
<br />
[https://www.owasp.org/images/6/60/2012Whereweare..Wherearewegoing.pptx OWASP Where are we... Where are we going in 2012] - Tom Brennan Orlando Q1 2012<br />
<br />
[https://owasp.org/images/7/7f/OWASP_Orlando_20120515_App_Fw_age_of_mobile.pdf Application Firewalling in the Age of Mobile: New Considerations] - Stephen Mak Orlando Q2 2012<br />
<br />
Practical Android Security - Jack Mannino Orlando Q2 2012<br />
<br />
[https://owasp.org/images/2/2e/Orlando_OWASP_-_RealWorldWebServiceTesting.pptx Don't Drop the Soap: Real World Web Service Testing for Web Hackers] - Kevin Johnson Orlando Q3 2012<br />
<br />
[https://owasp.org/images/e/ee/Orlando_OWASP_WAF_and_IAM_Integration_92012_v2.pptx Web Application Firewalls and Identity and Access Management Integration] - Jan Poscobutt Orlando Q3 2012<br />
<br />
[https://www.owasp.org/images/3/3f/OWASP_Top_10_-_Deep_Dive_-_Code.pptx OWASP Top 10 with Code Examples] - Slides by Bill Riggins, Co-Presented with Tony Turner Orlando Q1 2013<br />
<br />
== Chapter Information ==<br />
<br />
OWASP Orlando is newly formed as of August 2011. The first meeting was held on October 19, 2011 and was designed largely as a social event to bring new members together. After this initial informal meeting we are continuing with quarterly meetings focused on content that attendees can apply within their own environments for minimal or no-cost to their organizations. We do not tolerate vendor-centric presentations but do encourage vendors to present as long as they can keep their marketing attempts to a minimum and focus on the underlying issues and technology. Typically we have 2 speakers with topics designed to meet the needs of the Builder, Breaker and Defender communities. As of April 2012 have continued to meet this commitment. Keep watching this space for announcements about upcoming events. If you are interested in being a speaker or taking a more active leadership role within the chapter, please contact the chapter leaders at the link above. Everyone is welcome to join us at our chapter meetings. We track membership based on participation at the mailing list linked on this page and this will be the primary means of communication for the chapter. We also have a Linkedin group at http://goo.gl/BB9fu <br />
<br />
== Supporters ==<br />
<br />
;[https://www.owasp.org/index.php/Membership For information on becoming a supporter and associated benefits]<br />
<br />
'''Organizational Supporters'''<br />
<br />
[[Image:symantec1.jpg|link=http://www.symantec.com/|Symantec Corporation - 2012]]<br />
<br />
----<br />
<br />
'''Chapter Supporters'''<br />
<br />
[[Image:cloudspace_logo.png|link=http://cloudspace.com/|Cloudspace Venue Sponsor - OWASP Orlando 2013]]<br />
<br />
----<br />
<br />
'''Single Meeting Supporters'''<br />
<br />
[[Image:Securityinnovation.png|link=http://www.securityinnovation.com/|Security Innovation - OWASP Orlando Q1 2012]]<br />
[[Image:Fishnetlogo.png|link=http://www.fishnetsecurity.com/|Fishnet Security - OWASP Orlando Q2 2012]]<br />
<br />
----<br />
<br />
'''Academic Supporters'''<br />
<br />
[[Image:Ucf_medcollege.png|link=http://med.ucf.edu/|UCF College of Medicine - OWASP Orlando Q1-Q2 2012]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Florida]]<br />
[[Category:Orlando]]<br />
[[Category:OWASP_Chapter]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=201010WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T18:21:05Z<p>Tony Turner: /* Roadmap */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Summer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=201002WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T14:01:59Z<p>Tony Turner: /* Presentations */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
*[https://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt WAFs When Are They Useful (Ivan Ristic)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200994WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:34:21Z<p>Tony Turner: /* Presentations */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200993WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:34:05Z<p>Tony Turner: /* Presentations */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
*[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
*[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200992WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:33:43Z<p>Tony Turner: /* Presentations */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
[http://www.slideshare.net/vaceitunofist/wafec WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200991WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:24:35Z<p>Tony Turner: /* Summer 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200990WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:23:47Z<p>Tony Turner: /* Fall 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed, but not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
*Update existing sections to be relevant for 2015<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200989WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:23:16Z<p>Tony Turner: /* Summer 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*<s>Re-establish project team</s> - Initial team and structure created - Still LFV<br />
*<s>Migrate existing v2.0 doc to Google Docs</s> - Completed<br />
*Address outstanding comments - Comment integration completed, but not yet incorporated into document<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200988WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:20:08Z<p>Tony Turner: /* Summer 2015 */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*<s>Migrate existing v2.0 doc to Google Docs - Completed</s><br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200987WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T02:19:47Z<p>Tony Turner: /* Roadmap */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
<s>*Migrate existing v2.0 doc to Google Docs - Completed</s><br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200986WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:26:14Z<p>Tony Turner: /* Presentation */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentations==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200985WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:25:59Z<p>Tony Turner: /* Presentation */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentation==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)] [https://www.youtube.com/watch?v=XUEpjyJ8sgY Video]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200984WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:24:40Z<p>Tony Turner: /* Presentation */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentation==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann)]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200983WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:24:05Z<p>Tony Turner: /* Presentation */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentation==<br />
<br />
[https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann]<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200982WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:22:17Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200981WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:19:53Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200980WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:19:13Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
==Note==<br />
'''This will serve as the main project page going forward, but for historical links please refer to [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria here]'''<br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200979WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:18:20Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==Note==<br />
'''This will serve as the main project page going forward, but for historical links please refer to [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria here]'''<br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200978WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:13:02Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<br />
==Note==<br />
'''This will serve as the main project page going forward, but for historical links please refer to [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria here]'''<br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200977WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:11:47Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Note==<br />
'''This will serve as the main project page going forward, but for historical links please refer to [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria here]'''<br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turnerhttps://wiki.owasp.org/index.php?title=WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&diff=200976WASC OWASP Web Application Firewall Evaluation Criteria Project2015-09-23T01:10:54Z<p>Tony Turner: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
| valign="top" style="padding-right:25px;width:200px;" |<br />
<br />
<br />
<br />
==Background==<br />
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.<br />
<br />
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:<br />
<br />
* Help stakeholders understand what a WAF is and its role in protecting web sites.<br />
* Provide a tool for users to make an educated decision when selecting a WAF.<br />
<br />
==Project Structure==<br />
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.<br />
<br />
==History==<br />
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.<br />
<br />
==More information==<br />
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Presentation==<br />
<br />
AppsecEU 2013<br />
<br />
==Project Leader==<br />
<br />
*Tony Turner<br />
<br />
==Contributors==<br />
<br />
<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
==Vendor Sub-group==<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware<br />
*Ido Breger – F5<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
==News and Events==<br />
<br />
*September 2015 AppSecUSA Workshop<br />
*June 2015 Project Reboot<br />
==Mailing List==<br />
<br />
*[http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org WAFEC Mailing list (WASC)]<br />
<br />
<br />
=FAQ=<br />
<br />
'''1. Is WAFEC unfairly biased in favor of vendors who participate?'''<br />
<br />
ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Volunteering Volunteering] link and get involved.<br />
<br />
'''2. Is WAFEC a dead project?'''<br />
<br />
ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Roadmap Roadmap] for more information<br />
<br />
'''3. Does WAFEC certify WAF vendors?'''<br />
<br />
ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.<br />
<br />
'''4. Does WAFEC recommend $vendorX?'''<br />
<br />
ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project#tab=Project_Team vendors] and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.<br />
<br />
<br />
<br />
<br />
<br />
=Roadmap=<br />
<br />
===As of September 2015 the objectives are===<br />
<br />
==Summer 2015==<br />
<br />
*Re-establish project team - In progress and looking for volunteers<br />
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments<br />
*Address outstanding comments and make existing sections relevant for 2015 - Barely started<br />
<br />
==Fall 2015==<br />
<br />
*Conduct workshop at AppSecUSA 2015<br />
*Create new document outline<br />
*Begin document re-work<br />
<br />
==Winter 2015==<br />
<br />
*Create framework for evaluating controls<br />
*Logo and design work<br />
*Marketing strategy<br />
<br />
==Spring 2016==<br />
<br />
*Complete 1st draft<br />
*Internal Testing<br />
*Conference presentation<br />
<br />
==Sumer 2016==<br />
<br />
*Pre-release/Beta<br />
*Socialize the project and upcoming release<br />
<br />
==Fall 2016==<br />
<br />
*Release WAFEC v3.0 <br />
*Post-release support<br />
<br />
==Winter 2016==<br />
<br />
*Revisit associated tools like Response Matrix<br />
<br />
=Project Team=<br />
'''Core Team'''<br />
<br />
*Tony Turner (Leader) – GuidePoint Security<br />
*Renaud Bidou – TrendMicro (formerly Radware and DenyAll)<br />
*Christian Heinrich (former WAFEC contributor)<br />
*Achim Hoffmann (former WAFEC contributor)<br />
<br />
'''Vendor Sub-group'''<br />
<br />
*Peter Vogt – Sentrix<br />
*Erwin Huber – Ergon<br />
*Mark Kraynak – Imperva<br />
*Raphael Chileshe – Radware <br />
*Ido Breger – F5<br />
<br />
'''If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact [mailto:tony.turner@owasp.org Tony Turner].'''<br />
<br />
=Volunteering=<br />
<br />
===Current Needs include===<br />
<br />
*Web App Pentesters experienced with WAF Bypasses<br />
*WAF Implementers<br />
*WAF Developers<br />
*WAF Vendor Liaisons <br />
*Metrics and standardization professional<br />
*Copy edit ninjas<br />
*Graphics designer<br />
<br />
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].<br />
<br />
=Project About=<br />
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]</div>Tony Turner