Friday 25 September 2009

WAFs for OWASP crowd to perform independent tests

Just had this request from one of the best WAF authors & researchers in the world (sorry can't say his name publicly) who asked me this:

"...I am researching WAF evasion and I need access to a commercial WAF. I am finding a lot of interesting things, but without knowing if they are real problems in production that does not mean much.

Do you know someone who could be willing to give me access to a non-production box for testing purposes?..."

From the above, I have two questions:
  1. Anybody form this list can help him? ping me directly and I will put two in touch
  2. Is the WAF industry (both proprietary and open source) mature enough that they can 'lent' an Evaluation WAF (the actual appliance) to OWASP so that OWASP leaders & members can independently evaluate it?
  • If they are, I'm happy to help setting up some rules of engagement, for example: "The WAF will be hosted by an independent (i.e. non WAF vendor) OWASP leader or member", "there are no limitations on the types of Apps that can be 'protected' by the WAF", "if any major issues are discovered, 'responsible disclosure' will be used"

I think if we do this right, it could be a win-win for everybody

Dinis Cruz