This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

WASC OWASP Web Application Firewall Evaluation Criteria Project

Revision as of 18:55, 2 October 2018 by Tony Turner (talk | contribs) (Winter 2015)

Jump to: navigation, search
OWASP Project Header.jpg


Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.

As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. The Web Application Firewall Evaluation Criteria Project (WAFEC) serves two goals:

  • Help stakeholders understand what a WAF is and its role in protecting web sites.
  • Provide a tool for users to make an educated decision when selecting a WAF.

Project Structure

WAFEC is a joined project between The Web Application Security Consortium (WASC) and OWASP making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.


The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation WASC/OWASP WAFEC this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the Volunteering page or join the the mailing list and chime in when you feel ready.

More information

If you have any other question or idea, please contact WAFEC project leader Tony Turner.


News and Events

  • September 2015 AppSecUSA Workshop
  • June 2015 Project Reboot

Mailing List

1. Is WAFEC unfairly biased in favor of vendors who participate?

ANSWER: All contributions sourced by the vendor sub-group or provided by the active employee for any WAF vendor are peer-reviewed by all other participating vendors before the update can be committed. Vendors who want to have input in the direction of the WAFEC standard should see the Volunteering link and get involved.

2. Is WAFEC a dead project?

ANSWER: Most certainly not! WAFEC has been rebooted as of June 2015 under the leadership of Tony Turner and a project workshop is being held at the AppSecUSA conference in San Francisco to renew efforts at the next version. See the Roadmap for more information

3. Does WAFEC certify WAF vendors?

ANSWER: WAFEC does not currently provide certification but instead intends to provide tools for others to perform their own independent evaluation for WAF vendors. It is important that any evaluation take into consideration the unique requirements and documented use cases for the WAF as not all deployments will have the same requirements.

4. Does WAFEC recommend $vendorX?

ANSWER: WAFEC remains impartial and does not recommend or discourage any vendor over another. There are often scenarios where a less capable product may be a smarter choice than a best of breed solution, or a niche product may be very well-suited for a particular use case. The WAFEC team works with multiple vendors and does not show bias in any way. Any vendor is welcome to participate in standards development and contributions will be made public consistent with OWASP transparency expectations.

5. Is WAFEC releasing 2.0 or 3.0 next?

ANSWER: WAFEC will be releasing a slightly revised version of the 2012 v2.0 efforts sometime in early 2017. Most revisions articulated by the new (2015) project team will be reserved for the 3.0 release planned for late 2017

As of November 2015 the objectives are

Summer 2015

  • Re-establish project team - Initial team and structure created - Still LFV
  • Migrate existing v2.0 doc to Google Docs - Completed
  • Address outstanding comments - Comment integration completed into gDoc, but updates not yet incorporated into document

Fall 2015

  • Conduct workshop at AppSecUSA 2015
  • Decide on versioning - Plan to release mostly unchanged 2.0 and then move most revisions into future 3.0 document
  • Reformat document for 3.0
  • Update existing sections in 2.0 to be relevant for 2015

Winter 2015

  • Logo and design work
  • Marketing strategy


  • Complete 1st draft
  • Plan for 2.0 release
  • Internal Testing - pushed until later phase

3.0 - pushed until after 2.0 release

  • Create new document outline
  • Begin document re-work
  • Create framework for evaluating controls

Spring 2016

  • Release 2.0 - delayed until Q4

3.0 - see 3.0 notes

  • Complete 1st draft
  • Internal Testing
  • Conference presentation - delayed due to project team availability. Revisit in Q1 2017

Summer 2016-Fall 2018

  • Period of Inactivity due to project team unavailability

Winter 2018

  • Socialize the project and upcoming release
  • Finalize 2.0 Comments
  • New WAFEC sections:
    • Differences between WAFs and next-generation firewalls and intrusion prevention systems
    • Performance and reliability criteria
    • Anti-automation/anti-bot capabilities
    • Anti-fraud capabilities, credential theft
    • Threat intel/reputation capabilities
    • Hybrid and cloud deployment models (Diving into CDN technology would be useful)

Spring 2019

  • Pre-release/Beta

Summer 2019

  • Release 2.0
  • Revisit associated tools like Response Matrix
  • Begin 3.0 Planning

Core Team

  • Tony Turner (Leader) – Fortress Information Security
  • Sam Stepanyan (Co-Leader) - OWASP London


  • Renaud Bidou – TrendMicro (formerly Radware and DenyAll)
  • Achim Hoffmann (former WAFEC contributor)
  • Santiago Ingold
  • Jean Dogo

Vendor Sub-group - Newly formed as of 2015 reboot effort

  • Peter Vogt – Sentrix
  • Erwin Huber – Ergon
  • Mark Kraynak – Imperva
  • Raphael Chileshe – Radware
  • Ido Breger – F5
  • Tin Zaw - Verizon
  • John Mcllwain - Cdnetworks
  • Ryan Barnett - Akamai
  • Ory Segal - Akamai
  • Vincent Maury - DenyAll

v2.0 Contributors - 2012 effort

  • Achim Hoffmann, sic[!]sec
  • Amichai Shulman, Imperva
  • Erwin Huber, Airlock (Ergon)
  • Mark Kraynak, Imperva
  • Ofer Shezaf, Project Lead
  • Ryan Barnett, Trustwave
  • Tal Beery, Imperva

v2.0 Reviewers - 2012 effort

  • Anshuman Singh, Barracuda Networks
  • Achim Hoffmann, sic[!]sec
  • Christian Heinrich , Individual Contributor
  • David DeSanto, NSS Labs
  • Ido Breger, F5
  • Jason Leung, Mykonos, a Juniper Company
  • Klaubert Herr da Silveira
  • Julian Totzek, Deny All
  • Matthieu Estrade, Beeware
  • Or Katz, Individual Contributor
  • Ory Segal, Akamai
  • Paul Scott, Individual Contributor
  • Przemyslaw Skowron, Alior Bank
  • Rip, OWASP China
  • Robert Auger, Individual Contributor
  • Victor Pinenkov, Mykonos, a Juniper Company

v1.0 Contributors

  • Robert Auger (SPI Dynamics)
  • Ryan C. Barnett (EDS)
  • Charlie Cano (F5)
  • Anton Chuvakin (netForensics)
  • Matthieu Estrade (Bee Ware)
  • Sagar Golla (Secureprise)
  • Jeremiah Grossman (WhiteHat Security)
  • Achim Hoffmann (Individual)
  • Amit Klein (Individual)
  • Mark Kraynak (Imperva)
  • Vidyaranya Maddi (Cisco Systems)
  • Ofer Maor (Hacktics)
  • Cyrill Osterwalder (Seclutions AG)
  • Sylvain Maret (e-Xpert Solutions)
  • Gunnar Peterson (Arctec Group)
  • Pradeep Pillai (Cisco Systems)
  • Kurt R. Roemer (NetContinuum)
  • Kenneth Salchow (F5)
  • Rafael San Miguel (daVinci Consulting)
  • Greg Smith (Citrix Systems)
  • David Movshovitz (F5)
  • Ivan Ristic (Thinking Stone) [Project Leader]
  • Ory Segal (Watchfire)
  • Ofer Shezaf (Breach Security)
  • Andrew Stern (F5)
  • Bob Walder (NSS Group)

If you are a prior contributor and want to participate in renewed efforts at WAFEC 2.0 and beyond please contact Tony Turner.

Current Needs include

  • Web App Pentesters experienced with WAF Bypasses
  • WAF Implementers
  • WAF Developers
  • WAF Vendor Liaisons
  • Metrics and standardization professional
  • Copy edit ninjas
  • Graphics designer

If you are interested, please contact WAFEC project leader Tony Turner.

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: WASC OWASP Web Application Firewall Evaluation Criteria Project (home page)
Purpose: WAFEC is a joined industry effort to define what Web Application Firewalls are and provide the application security community with a tool to learn about WAFs and evaluate the suitability of different WAFs for their needs.
License: Creative Commons Attribution License 2.5
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: [Roadmap View]
Main links:
Key Contacts
current release
Version 1.0 of WAFEC was released in 2006 and is heavily used in the industry featuring in an estimated 50% of WAF RFPs. WAFEC 1.0 is available for download in the following formats:
last reviewed release
Not Yet Reviewed

other releases