Web Application Firewalls (WAF) represent a new breed of information security technology that is designed to protect web sites (web applications) from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't.

They also do not require modification of the application source code. As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardised criteria for product evaluation. How else can we accurately compare or measure the performance of a particular solution?

The goal of this project is to develop a set of web application firewall evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution. However, our aim is not to document the features that must be supported in order for a product to be called a web application firewall. Web application firewalls are simply too complex to be treated like this.

To conclude: the purpose of this document to draw one's attention to the features that are of potential importance to a given project. This comprehensive list should be used as basis to form a much shorter list of features that are required for the project. The shorter list should then be used to evaluate multiple web application firewall products.

Current categories are as follows:

1.Deployment Architecture
2.HTTP Support
3.Detection Techniques
4.Protection Techniques
5.Logging
6.Reporting
7.Management
8.Performance
9.XML

We expect to cover the following categories in the subsequent releases:

* Compliance, certifications, and interoperability.
* Increase coverage of performance issues (especially on the network level).
* Increase coverage of the XML-related functionality.

You can download the latest version of the Web Application Firewall Evaluation Criteria
here as pdf