Back in May, at AppSec OWASP in Ghent, I listened to Alexander Meisel (who was presenting on behalf of OWASP Germany) talk about best practices for web application firewall deployment. The interesting talk was backed by a larger document, which was only available in German at the time (I don't read German). The translated version is now available, and I am happy to say that it is as interesting as I thought it would be.
As you may be aware, I am leading the Web Application Firewall Evaluation Criteria (WAFEC) project, where we outline the questions that need to be asked when evaluating WAFs. WAFEC is quite technical, and I've always felt that we've skipped one step, addressing the technical questions too soon. Best Practices: Use of Web Application Firewalls addresses some of those things that people ask before they go to the evaluation stage. Here are some of topics covered by this document:
- Roles that need to be established internally in order to support WAF deployment.
- Suitability of applications for protection via web application firewalls
- A mapping of WAF features against common security issues (what WAFs can and cannot do).
Overall, it's a very refreshing read and a step in the right direction.