Web Application Security Consortium Releases Vendor Neutral Evaluation Criteria for Selecting Application Firewalls.WWW WWW or W3: see World Wide Web. (World Wide Web) The common host name for a Web server. The "www-dot" prefix on Web addresses is widely used to provide a recognizable way of identifying a Web site. .WEBAPPSEC.ORG -- Security Experts, Practitioners, and Vendors Join Forces to Provide Open Set of Guidelines that Simplify Independent Assessment of Products The Web Application Security Consortium (WASC WASC Western Association of Schools and Colleges WASC West African School Certificate WASC Western Administrative Support Center (NOAA) WASC Western Australia Supreme Court WASC Washington Administrative Service Center ), an international group of information security experts that produce open application security guidelines for the World Wide Web, today announced that it has released version released version - release 1.0 of The Web Application Firewall Evaluation Criteria (WAFEC WAFEC Web Application Firewall Evaluation Criteria ). WAFEC is a collaborative effort by a team of security experts, industry practitioners, and vendors designed to provide an independent and vendor-neutral set of criteria for evaluating Web Application Firewall products. The following organizations have contributed to developing the WAFEC: Arctec Group, Bee Ware, Breach Security, Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. , Citrix Systems Citrix Systems' (NASDAQ: CTXS) is an American technology company, based in Fort Lauderdale, Florida, with subsidiary operations in California and Massachusetts, with additional development centers in Australia, India and the UK. , daVinci Consulting, EDS (Electronic Data Systems, Plano, TX, www.eds.com) Founded in 1962 by H. Ross Perot (independent candidate for the President of the U.S. in 1992), EDS is the largest outsourcing and data processing services organization in the country. , e-Xpert Solutions, F5 Networks, Hacktics, Imperva, NetContinuum, netForensics, NSS (Novell Storage Services) A 64-bit file system introduced with NetWare 5 that can support terabyte-sized files. NSS files and standard NetWare files can be used in the same server. See NetWare 5. 1. (networking) NSS - Nodal Switching System. Group, Seclutions AG, Secureprise, SPI (1) (Stateful Packet Inspection) See stateful inspection. (2) (Service Provider Interface) The programming interface for developing Windows drivers under WOSA. Dynamics, Thinking Stone, Watchfire, and WhiteHat Security. "Although Web Application Firewalls are now required to effectively secure sensitive data connected to web infrastructures, comparing and choosing the right product is both complex and time consuming," said Ivan Ristic, WAFEC Project leader, and CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of Thinking Stone. "This first release from the Web Application Firewall Evaluation Criteria project not only makes comparison possible, but, more importantly, enables users to understand the requirements and the inner workings of various application defense mechanisms." Web Application Firewall (WAF WAF 1 or Waf n. A member of the Women in the Air Force, organized after World War II, but now no longer a separate branch. [From W(omen in the) A(ir) F(orce).] ) technology has become an integral component of web security infrastructures and a requirement for protecting web applications from breaches that can lead to the theft of financial and privacy data. However, both vendors and user organizations tend to view WAFs in different ways, so there is no single baseline for comparing competing products. WAFEC provides a standardized and easy to understand structure for evaluating WAF technology. WAFEC includes a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution for meeting the unique needs or his or her organization. The WAFEC covers the following areas for assessing and comparing WAF offerings: --Deployment architecture --HTTP and HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. support --Detection techniques --Protection techniques --Logging --Reporting --Management --Performance --XML The WAFEC document is publicly available free of charge from the project home page at: http://www.webappsec.org/projects/wafec/ About WASC The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations" stipulatory noncontroversial, uncontroversial - not likely to arouse controversy best- practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. Membership and participation in WASC related activities is free and open to all. For more information visit: http://www.webappsec.org/ Web Application Firewall Evaluation Criteria (WAFEC) Project Member Quotes "Evaluating security products in general and application firewalls specifically frequently is a FUD-laden task, this guide has technical breadth and depth; and should help persistent organizations cut through the vendor hand waving hand waving n. Usually insubstantial words or actions intended to convince or impress: resorted to hand waving instead of arguing rationally. and get to the heart of the matter - finding the right web app See Web application. firewall for their organization to protect their web application(s)." Gunnar Peterson, CTO, Arctec Group "WASC continues in its tradition of producing high-quality and community-driven research for the web application security industry." Matthieu Estrade, Product Manager, Bee-ware "Web application security is the upcoming threat to e-commerce, and application firewalls are the answer. As the standard setting organization in the area of application security, it is of great importance that the Web Application Security Consortium releases Web Application Firewall Evaluation Criteria that will enable customers to make the right choice when making this important decision." Ofer Shezaf, CTO, Breach Security "Web application attacks are increasingly posing the most serious threat to today's IT infrastructures. Objective test criteria, such as Web Application Security Consortium's evaluation criteria for Web Application Firewalls (WAFEC), that are created by the leading security authorities in the industry empowers enterprise IT security managers to properly evaluate the effectiveness of Web application security solutions and bring improved attack protection capabilities to business critical Web applications. Citrix is pleased to participate in WAFEC and lend support to this important industry-wide effort." Greg Smith Greg Smith may refer to:
"As many recent well-publicized data breaches show, organizations must address more sophisticated attacks on business applications and data by implementing additional layers of protection. Web Application Firewalls are an important component of such protection." Shlomo Kramer, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , Imperva "The Web Application Firewall Evaluation Criteria (WAFEC) provides a useful structure for organizations to use as they select solutions that will better secure proprietary business information and transactions." Amichai Shulman, Chief Technology Officer, Imperva "We are seeing a shift within customers. There is now general agreement that application security is a priority, the question customers are now grappling with is, 'how best to protect my apps'? Independent, researched, and organized solution criteria are critical in helping customers make the right choices to really secure their systems. NetContinuum intends to help drive WASC and their efforts forward as application security threats and protective technologies evolve." Varun Nagaraj, CEO, NetContinuum "WAFEC is a valuable effort to standardize testing of the security devices, that belong to a category perceived to be complicated or even confusing to end users. The threats are real, but relevant protections are lagging behind, in part due to the solutions complexity and lack of consistent testing methodology. WAFEC provides such methodology." Dr Anton Chuvakin Anton Chuvakin is a computer security specialist, currently Chief Logging Evangelist with LogLogic, a U.S. Log Management and Intelligence company. His past positions included a role of a Security Strategist with netForensics, a U.S. Security Information Management company. , Security Strategist, netForensics, Inc. "What's worse than being attacked? Not even knowing about it! Successful attacks on the application layer cannot be detected in most cases. An attacker only needs to find one entry point to be successful whereas the service provider on the other hand needs to secure all applications on all layers. The threat scenario develops so fast that many customers are overwhelmed by its complexity. The efforts of the Web Application Security Consortium are a great approach to help customers to understand the requirements and mechanisms to protect Web applications much better and decide on appropriate measures." Cyrill Osterwalder, Chief Technology Officer, Seclutions AG "Protecting web applications is a complex and difficult task and security teams today are under intense pressure to keep up with the volume of security issues they need to address. It is more critical than ever to define industry standards that customers can use to classify, rank and select best of breed web application firewall products. Adopting the Web Application Firewall Evaluation Criteria will make it faster and more efficient for companies to meet the unique security requirements of their organization and the WAFEC project will help customers to make more informed decisions based on facts rather then on product brochures" Ory Segal, Director of Security Research, Watchfire "In the past it was impossible to verify the needed functionality of an application firewall without speaking to a vendor. The Web Application Firewall Criteria Project helps users and vendors to conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" a neutral third party quality expectation that is greatly needed in the industry." Robert Auger auger (ô`gər): see drill. auger Tool (or bit) used with a carpenter's brace for drilling holes, usually in wood. It looks like a corkscrew and produces extremely clean holes, almost regardless of how large the bit is. , Co-Founder The Web Application Security Consortium "WASC's mission is to promote understanding and awareness of web application security. With the WAFEC project, we are creating level playing field See net neutrality. from which customers, industry analysts, and vendors can objectively evaluate the web application firewall market." Jeremiah Grossman, CTO, WhiteHat Security |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion