This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "WASC OWASP Web Application Firewall Evaluation Criteria Project"
Tony Turner (talk | contribs) |
Tony Turner (talk | contribs) (→Roadmap) |
||
| Line 57: | Line 57: | ||
=Roadmap= | =Roadmap= | ||
| − | ===As of | + | ===As of November 2015 the objectives are=== |
==Summer 2015== | ==Summer 2015== | ||
| Line 67: | Line 67: | ||
==Fall 2015== | ==Fall 2015== | ||
| − | *Conduct workshop at AppSecUSA 2015 | + | *<s>Conduct workshop at AppSecUSA 2015</s> |
| − | * | + | *<s>Decide on versioning</s> - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document |
| − | * | + | *<s>Reformat document for 3.0</s> |
| − | *Update existing sections to be relevant for 2015 | + | *Update existing sections in 2.0 to be relevant for 2015 - In progress |
==Winter 2015== | ==Winter 2015== | ||
| − | |||
*Logo and design work | *Logo and design work | ||
*Marketing strategy | *Marketing strategy | ||
| + | |||
| + | '''2.0''' | ||
| + | |||
| + | *Complete 1st draft | ||
| + | *Plan for 2.0 release | ||
| + | *Internal Testing | ||
| + | |||
| + | '''3.0''' | ||
| + | |||
| + | *Create new document outline | ||
| + | *Begin document re-work | ||
| + | *Create framework for evaluating controls | ||
==Spring 2016== | ==Spring 2016== | ||
| + | |||
| + | *Release 2.0 | ||
| + | |||
| + | '''3.0''' | ||
*Complete 1st draft | *Complete 1st draft | ||
Revision as of 16:44, 28 November 2015
Background
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. The Web Application Firewall Evaluation Criteria Project (WAFEC) serves two goals:
- Help stakeholders understand what a WAF is and its role in protecting web sites.
- Provide a tool for users to make an educated decision when selecting a WAF.
Project Structure
WAFEC is a joined project between The Web Application Security Consortium (WASC) and OWASP making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.
History
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation WASC/OWASP WAFEC this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the Volunteering page or join the the mailing list and chime in when you feel ready.
More information
If you have any other question or idea, please contact WAFEC project leader Tony Turner.
Presentations
- WAFEC: From Industry to Community Project - AppsecEU 2013 (Shezaf and Hoffmann) Video
- WAFEC, or How to Choose WAF Technology (RAFAEL SAN MIGUEL CARRASCO)
- WAFs When Are They Useful (Ivan Ristic)
News and Events
- September 2015 AppSecUSA Workshop
- June 2015 Project Reboot
Mailing List
