Difference between revisions of "WASC OWASP Web Application Firewall Evaluation Criteria Project"

From OWASP
Jump to: navigation, search
(date corrected)
 
(20 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
+
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for product evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals: On the one hand WAFEC helps users to understand what a WAF is and its role in protecting web sites and on the other hand WAFEC provides a tool for users to make an educated decision when selecting a WAF.
+
  
 +
'''This will serve as the main project page going forward, but for historical links please refer to [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria here]'''
 +
 +
Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
 +
 +
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. [http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria The Web Application Firewall Evaluation Criteria Project (WAFEC)] serves two goals:
 +
 +
* Help stakeholders understand what a WAF is and its role in protecting web sites.
 +
* Provide a tool for users to make an educated decision when selecting a WAF.
 +
 
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.
 
WAFEC is a joined project between [http://www.webappsec.org The Web Application Security Consortium (WASC)] and [http://www.owasp.org OWASP] making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.
  
The first version of WAFEC was released in 2006 and is in wide use in the industry. We are now working on [http://projects.webappsec.org/w/page/60249779/WAFEC_2_Outline version 2] and plan to release it in the first half of 2013. If you want to join the [http://projects.webappsec.org/w/page/54150727/WAFEC%202 contributors]  join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.
+
The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation [https://www.owasp.org/images/c/ca/WASC-OWASP_WAFEC_-_Achim_Hoffmann%2BOfer_Shezaf.pdf WASC/OWASP WAFEC] this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner.  We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the {{#switchtablink:Volunteering|Volunteering}} page or join the the [http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org mailing list] and chime in when you feel ready.
 
   
 
   
If you have any other question or idea, please contact WAFEC project leader [mailto:ofer@shezaf.com Ofer Shezaf].
+
If you have any other question or idea, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].
 +
 
 +
=Roadmap=
 +
 
 +
===As of July 2015 the objectives are===
 +
 
 +
==Summer 2015==
 +
 
 +
*Re-establish project team - In progress and looking for volunteers
 +
*Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments
 +
*Address outstanding comments and make existing sections relevant for 2015 - Barely started
 +
 
 +
==Fall 2015==
 +
 
 +
*Conduct workshop at AppSecUSA 2015
 +
*Create new document outline
 +
*Begin document re-work
 +
 
 +
==Winter 2015==
 +
 
 +
*Create framework for evaluating controls
 +
*Logo and design work
 +
*Marketing strategy
 +
 
 +
==Spring 2016==
 +
 
 +
*Complete 1st draft
 +
*Internal Testing
 +
*Conference presentation
 +
 
 +
==Sumer 2016==
 +
 
 +
*Pre-release/Beta
 +
*Socialize the project and upcoming release
 +
 
 +
==Fall 2016==
 +
 
 +
*Release WAFEC v3.0
 +
*Post-release support
 +
 
 +
==Winter 2016==
 +
 
 +
*Revisit associated tools like Response Matrix
 +
 
 +
=Volunteering=
 +
 
 +
===Current Needs include===
 +
 
 +
*Web App Pentesters experienced with WAF Bypasses
 +
*WAF Implementers
 +
*WAF Developers
 +
*WAF Vendor Liaisons
 +
*Metrics and standardization professional
 +
*Copy edit ninjas
 +
*Graphics designer
 +
 
 +
If you are interested, please contact WAFEC project leader [mailto:tony.turner@owasp.org Tony Turner].
  
 
=Project About=
 
=Project About=
 
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}}  
 
{{:Projects/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project}}  
  
[[Category:OWASP Project]]
+
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP_Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Builders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_WAF]]

Latest revision as of 06:28, 28 July 2015

[edit]

OWASP Project Header.jpg

This will serve as the main project page going forward, but for historical links please refer to here

Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.

As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. The Web Application Firewall Evaluation Criteria Project (WAFEC) serves two goals:

  • Help stakeholders understand what a WAF is and its role in protecting web sites.
  • Provide a tool for users to make an educated decision when selecting a WAF.

WAFEC is a joined project between The Web Application Security Consortium (WASC) and OWASP making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.

The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation WASC/OWASP WAFEC this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to be a part of the project check out the Volunteering page or join the the mailing list and chime in when you feel ready.

If you have any other question or idea, please contact WAFEC project leader Tony Turner.

As of July 2015 the objectives are

Summer 2015

  • Re-establish project team - In progress and looking for volunteers
  • Migrate existing v2.0 doc to Google Docs - 90% completed, still incorporating disparate versions and prior comments
  • Address outstanding comments and make existing sections relevant for 2015 - Barely started

Fall 2015

  • Conduct workshop at AppSecUSA 2015
  • Create new document outline
  • Begin document re-work

Winter 2015

  • Create framework for evaluating controls
  • Logo and design work
  • Marketing strategy

Spring 2016

  • Complete 1st draft
  • Internal Testing
  • Conference presentation

Sumer 2016

  • Pre-release/Beta
  • Socialize the project and upcoming release

Fall 2016

  • Release WAFEC v3.0
  • Post-release support

Winter 2016

  • Revisit associated tools like Response Matrix

Current Needs include

  • Web App Pentesters experienced with WAF Bypasses
  • WAF Implementers
  • WAF Developers
  • WAF Vendor Liaisons
  • Metrics and standardization professional
  • Copy edit ninjas
  • Graphics designer

If you are interested, please contact WAFEC project leader Tony Turner.

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: WASC OWASP Web Application Firewall Evaluation Criteria Project (home page)
Purpose: WAFEC is a joined industry effort to define what Web Application Firewalls are and provide the application security community with a tool to learn about WAFs and evaluate the suitability of different WAFs for their needs.
License: Creative Commons Attribution License 2.5
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: [Roadmap View]
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Version 1.0 of WAFEC was released in 2006 and is heavily used in the industry featuring in an estimated 50% of WAF RFPs. WAFEC 1.0 is available for download in the following formats:
last reviewed release
Not Yet Reviewed


other releases