Web Application Security Consortium Releases Vendor Neutral Evaluation Criteria for Selecting Application Firewalls

Security Experts, Practitioners, and Vendors Join Forces to Provide Open Set of Guidelines that Simplify Independent Assessment of Products

www.webappsec.org, Jan. 17, 2006, The Web Application Security Consortium (WASC), an international group of information security experts that produce open application security guidelines for the World Wide Web, today announced that it has released version 1.0 of The Web Application Firewall Evaluation Criteria (WAFEC). WAFEC is a collaborative effort by a team of security experts, industry practitioners, and vendors designed to provide an independent and vendor-neutral set of criteria for evaluating Web Application Firewall products.

The following organizations have contributed to developing the WAFEC: Arctec Group, Bee Ware, Breach Security, Cisco Systems, Citrix Systems, daVinci Consulting, EDS, e-Xpert Solutions, F5 Networks, Hacktics, Imperva, NetContinuum, netForensics, NSS Group, Seclutions AG, Secureprise, SPI Dynamics, Thinking Stone, Watchfire, and WhiteHat Security.

"Although Web Application Firewalls are now required to effectively secure sensitive data connected to web infrastructures, comparing and choosing the right product is both complex and time consuming," said Ivan Ristic, WAFEC Project leader, and CTO of Thinking Stone. "This first release from the Web Application Firewall Evaluation Criteria project not only makes comparison possible, but, more importantly, enables users to understand the requirements and the inner workings of various application defense mechanisms."

Web Application Firewall (WAF) technology has become an integral component of web security infrastructures and a requirement for protecting web applications from breaches that can lead to the theft of financial and privacy data. However, both vendors and user organizations tend to view WAFs in different ways, so there is no single baseline for comparing competing products. WAFEC provides a standardized and easy to understand structure for evaluating WAF technology. WAFEC includes a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution for meeting the unique needs or his or her organization.


The WAFEC covers the following areas for assessing and comparing WAF offerings:

Deployment architecture
HTTP and HTML support
Detection techniques
Protection techniques
Logging
Reporting
Management
Performance
XML

The WAFEC document is publicly available free of charge at: http://www.webappsec.org/projects/wafec/

About WASC

The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best- practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. Membership and participation in WASC related activities is free and open to all. For more information visit: http://www.webappsec.org/


Web Application Firewall Evaluation Criteria (WAFEC) Project Member Quotes

"Evaluating security products in general and application firewalls  specifically frequently is a FUD-laden task, this guide has technical  breadth and depth; and should help persistent organizations cut  through the vendor hand waving and get to the heart of the matter -  finding the right web app firewall for their organization to protect  their web application(s)."

- Gunnar Peterson, CTO, Arctec Group

"WASC continues in its tradition of producing high-quality and community-driven research for the web application security industry."

- Matthieu Estrade, Product Manager, Bee-ware

"Web application security is the upcoming threat to e-commerce, and application firewalls are the answer. As the standard setting organization in the area of application security, it is of great importance that the Web Application Security Consortium releases Web Application Firewall Evaluation Criteria that will enable customers to make the right choice when making this important decision."

- Ofer Shezaf, CTO, Breach Security

"Web application attacks are increasingly posing the most serious threat to today\x92s IT infrastructures. Objective test criteria, such as Web Application Security Consortium's evaluation criteria for Web Application Firewalls (WAFEC), that are created by the leading security authorities in the industry empowers enterprise IT security managers to properly evaluate the effectiveness of Web application security solutions and bring improved attack protection capabilities to business critical Web applications. Citrix is pleased to participate in WAFEC and lend support to this important industry-wide effort."

- Greg Smith, Director of Product Marketing, Citrix Systems

"As many recent well-publicized data breaches show, organizations must address more sophisticated attacks on business applications and data by implementing additional layers of protection. Web Application Firewalls are an important component of such protection."

- Shlomo Kramer, CEO, Imperva

"The Web Application Firewall Evaluation Criteria (WAFEC) provides a useful structure for organizations to use as they select solutions that will better secure proprietary business information and transactions."

- Amichai Shulman, Chief Technology Officer, Imperva

"We are seeing a shift within customers," said Varun Nagaraj, CEO of NetContinuum, Inc. "There is now general agreement that application security is a priority, the question customers are now grappling with is, 'how best to protect my apps'? Independent, researched, and organized solution criteria are critical in helping customers make the right choices to really secure their systems. NetContinuum intends to help drive WASC and their efforts forward as application security threats and protective technologies evolve."

- Varun Nagaraj, CEO, NetContinuum

"WAFEC is a valuable effort to standardize testing of the security devices, that belong to a category perceived to be complicated or even confusing to end users. The threats are real, but relevant protections are lagging behind, in part due to the solutions complexity and lack of consistent testing methodology. WAFEC provides such methodology."

- Dr Anton Chuvakin, Security Strategist, netForensics, Inc.

"What's worse than being attacked? Not even knowing about it! Successful attacks on the application layer cannot be detected in most cases. An attacker only needs to find one entry point to be successful whereas the service provider on the other hand needs to secure all applications on all layers. The threat scenario develops so fast that many customers are overwhelmed by its complexity. The efforts of the Web Application Security Consortium are a great approach to help customers to understand the requirements and mechanisms to protect Web applications much better and decide on appropriate measures."

- Cyrill Osterwalder, Chief Technology Officer, Seclutions AG

"Beyond e-commerce, traditional enterprise applications (ERP, CRM, etc.) are increasingly accessed over the Web are susceptible to attacks and data compromise. WAFEC not only provides excellent framework for customers to evaluate, but also prepares security staff to go beyond desktop and network security to protect business data."

- Sagar Golla, CEO, Secureprise

"Protecting web applications is a complex and difficult task and security teams today are under intense pressure to keep up with the volume of security issues they need to address. It is more critical than ever to define industry standards that customers can use to classify, rank and select best of breed web application firewall products. Adopting the Web Application Firewall Evaluation Criteria will make it faster and more efficient for companies to meet the unique security requirements of their organization and the WAFEC project will help customers to make more informed decisions based on facts rather then on product brochures"

- Ory Segal, Director of Security Research, Watchfire

"In the past it was impossible to verify the needed functionality of an application firewall without speaking to a vendor. The Web Application Firewall Criteria Project helps users and vendors to conform to a neutral third party quality expectation that is greatly needed in the industry."

- Robert Auger, Co-Founder The Web Application Security Consortium

"WASC's mission is to promote understanding and awareness of web application security. With the WAFEC project, we are creating level playing field from which customers, industry analysts, and vendors can objectively evaluate the web application firewall market."

- Jeremiah Grossman, CTO, WhiteHat Security