[Owasp-leaders] Common Controls Efficacy Framework

Tony Turner tony.turner at owasp.org
Tue Jul 28 05:36:39 UTC 2015

Many of you may not be aware, but I'm in the process of rebooting the
stalled WAFEC project.

One of the key obstacles in prior efforts was attempting to quantify
necessary controls to mitigate specific webapp threats (utilizing the WASC
Web Threat Classifications
http://projects.webappsec.org/w/page/13246978/Threat%20Classification ) One
major issue here is how vendors approach such evaluations and how we can
best evaluate the efficacy of a specific WAF control. A standard approach
tends to be the use of benchmarking, but this can be a flawed approach as
well as vendors seek to game the benchmark. For instance, app is vuln to
SQLi and the tools used to test use a well-known string that the vendor can
supply a regex to "mitigate" without actually providing much security
value. This is also a very technology biased approach as the benchmark site
typically only uses a single framework/stack

Another approach is to query vendors and ask if their product mitigates a
specific web threat. Thats not great either because the answer will almost
always be yes, but HOW?

Lastly, evaluation can become a "black-box" assessment where the vendors
have no visibility into the process and only receive results. This is a
good model if you are conducting these assessments professionally, but is
contrary to the open nature of the project and OWASP in general. It's also
very biased towards the specific technologies in the testers lab
environment. The idea is to create a framework that is transparent and
effective, with consistent results and a limited ability to game.

I wanted to first discover if anyone is aware of an existing framework that
addresses the efficacy of mitigating controls, similar in fashion to how
CVSS creates a taxonomy allowing the evaluation and scoring of a specific
vulnerability. Assuming this does not exist, I wanted to poll the group to
see if there is interest in pursuing the creation of such a framework,
initially as a sub-group of WAFEC and eventually as a standalone project.

To give you an idea of what I'm talking about. Let's say the Threat
Classification is CSRF attacks. The WAF vendor states they mitigate these
attacks. There might be any number of ways this is done, with varying
degrees of effectiveness. (Much more than this, just an initial thought


increase security scores as detection ramps up
behavioral profiling
request latency
Specific signatures
referrer header checks
as a chained detection after successful XSS detection


Injection of CAPTCHA
Inject CSRF token
require secondary login
randomize certain HTML elements or inject honeytokens
blacklist known CSRF attackers based on threat intel

Which is best? Is it always best? And now lets say the decision is to block
that user, how is this done?

blacklist IP
blacklist sessionid
blacklist user
send RST to both endpoints
silently drop the packet
redirect the user
send command to network layer device for mitigation

I welcome your comments! Thanks,

Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150728/96758414/attachment-0001.html>

More information about the OWASP-Leaders mailing list