Mailing List
WAFEC V2.0 (In Progress)
Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for product evaluation. The Web Application Firewall Evaluation Criteria Project (WAFEC) serves two goals: On the one hand WAFEC helps users to understand what a WAF is and its role in protecting web sites and on the other hand WAFEC provides a tool for users to make an educated decision when selecting a WAF.
In order to ensure objectiveness, WAFEC is written by a large group of information security professionals which represent users, vendors, academia and independent analysts and researchers. If you would like to be involved with the project, please contact Ofer Shezaf.
WAFEC 1.0 (Released)
The first version of WAFEC was released in 2006 and is the leading resource defining what a WAF is. WAFEC is commonly used by organization when evaluating WAFs.
WAFEC 1.0 is available in several formats:
Please note that WAFEC, like all other WASC projects, is distributed under the creative common license. Please respect this license. Particularly note that the license requires that if you use the information you attribute it to WASC and WAFEC.
WAFEC Response Matrix
The WAFEC response matrix translates WAFEC into an easy to use standardized tool. WAFEC response matrix breaks WAFEC into specific numbered questions and explain how to address each question. The matrix is intended for both vendors and WAF evaluators. Vendors can provide detailed information about their products compliance to WAFEC by filling in this document while evaluators can use the document to compare different products.
Usage guidelines:
- To evaluate several products list them on the 1st tab in the spreadsheet and use one column for each product in the following tabs.
- The product columns specify how to answer each question:
- Yes/No - answer either yes or no.
- Yes/No/NA - answer either yes or no, or NA if the question is not applicable to the product.
- Specify - enter a value, many times numeric, to answer the question.
- List - specify all the applicable values.
- Describe - provide a descriptive text as an answer or point to an external resource or attachment.
- In all cases an remarks can be added in the following column.
- WAFEC 1.0 is not a minimum criteria for WAFs. Not supporting a feature does not disqualify a product. Some features may not be relevant to certain environment or to specific needs.
- The answer N/A does not imply lack of support for a feature, but that the feature is not relevant for a product. For example a feature may be related to a deployment mode not supported by the product.
Download WAFEC response matrix
WAFEC 2.0 (In progress)
The next version of WAFEC 2.0 is in the project early stages. The goals of WAFEC 2.0 are:
- Define what threats a WAF should mitigate, based on WASC Threat Classification project.
- Split WAFEC 1.0 requirements into must haves and nice to have. The first define what a WAF is while the later serve as criteria for evaluating it.
- Clearly distinguish between the requirements and the descriptive text. An advanced user would use only the requirements while the descriptive text would be used by beginners or in case a requirement exact meaning requires clarification.
The following people have joined the WAFEC 2.0 project team:
Community & Research:
- Christian Folini, Netnea.com; creator of REMO, an open source rule editor for ModSecurity.
- Emilio Casbas
- Prof. Giovanni Vigna, University of California, Santa Barbara
- Gregory Fresnais, BreakingPoint systems, a hardware test equipment for WAFs.
- Ivan Ristic; Ivan is the creator ModSecurity, an open source WAF. Ivan also led WAFEC 1.0.
- Keith Holt, Security Architecture, Texas Instruments
- Lior Cohen, Juniper
- Ofer Shezaf, Xiom; Ofer leads the WAFEC project
- Ori Segal, IBM (Rational)
- Prof. Stefano Zanero, Politecnico di Milano
- Tom Stripling, Security PS
- Thomas Raef, WeWatchYourWebsite.com
- Yuli Stremovsky, Creator of GreenSQL, an open source database firewall
WAF Vendors:
- Alexander Meisel, Art of Defence
- Anshuman Singh, Barracuda
- Matthieu Estrade, Bee-ware
- Ido Breger, F5
- Julian Totzek, Deny All
- Kurt Roemer, Citrix
- Raviv Raz, Applicure
- Ryan Barnett, Trustwave
- Sandro Janita, FortiNet
- Sharon Besser, Imperva
WAFEC is copyrighted © 2006-2009 Web Application Security Consortium (http://www.webappsec.org).
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ [http://creativecommons.org/ licenses/by/2.5/] or send a letter to: Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Comments (0)
You don't have permission to comment on this page.