Web application firewall evaluation guide

by Anton Chuvakin

Related link: http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.html

Often people find it very hard to compare security solutions (be it software or hardware appliances). Some solutions, like firewalls, have relatively well-established testing criteria, while others, in newer spaces of a security market, do not. A team from Web Application Security Consortium (with the author of this blog included) came up with the "Web Application Firewall Evaluation Criteria" document. It covers the following areas of functionality of a "web firewall":

  • Section 1 - Deployment Architecture

  • Section 2 - HTTP Support

  • Section 3 - Detection Techniques

  • Section 4 - Protection Techniques

  • Section 5 - Logging

  • Section 6 - Reporting

  • Section 7 - Management

If you are looking at that type of a technological safeguard, do read the guide.