WAF++ WAF++
Back to WAF++ Homepage

Assessment Methodology

A WAF++ assessment is not a one-time audit, but a structured process that makes architectural decisions measurable and continuously improvable. This page describes the complete workflow – from preparation to prioritized remediation.

Overview

An assessment goes through four phases:

Phase Content Output

1. Scoping

Which pillars, which environment, which depth

Assessment plan

2. Review

Automated checks (wafpass) + manual reviews

Raw findings (PASS / FAIL / SKIP)

3. Evaluation

Severity, maturity, regulatory relevance

Prioritized findings list

4. Remediation

Action plan, assignment, tracking

Improved compliance posture

Phase 1: Scoping

Select Pillars

Not every assessment needs to cover all 7 pillars. Typical entry points:

Context Recommended pillars

First assessment (greenfield)

Pillar 1 (Security), Pillar 7 (Sovereign), Pillar 2 (Cost)

Before a compliance audit (GDPR / BSI C5)

Pillar 7 (Sovereign), Pillar 1 (Security)

Cost review / FinOps initiative

Pillar 2 (Cost Optimization)

Platform maturity measurement (full)

All 7 pillars

Incident post-mortem

Pillar 4 (Reliability), Pillar 5 (Operational Excellence)

Define Environment and Scope

Define before starting:

  • Target environmentproduction, staging, or both?

  • Provider scope – AWS, Azure, GCP, or multi-cloud?

  • Infrastructure scope – which Terraform repos, Kubernetes clusters, cloud accounts?

  • Exceptions – legacy systems or third-party components that are explicitly excluded

Keep the scope tight for a first assessment. Start with one pillar and one environment – this creates fast, actionable results.

Set Severity Threshold

Decide upfront which severity level is considered blocking:

Severity Meaning Recommended action

critical

Immediate security or compliance risk

Immediate remediation, no deploy without fix

high

Significant risk, address short-term

Sprint goal, max. 2 weeks

medium

Improvement needed, medium-term

Backlog, next quarterly planning

low

Best-practice deviation

Nice-to-have, opportunistic

Phase 2: Review

Automated Checks with wafpass

wafpass reads the WAF++ controls (YAML) and checks Terraform configurations against the defined assertions.

Installation

pip install wafpass

Simple check (all controls)

wafpass check ./infrastructure/

Filtered by pillar

wafpass check ./infrastructure/ --pillar sovereign
wafpass check ./infrastructure/ --pillar cost

Critical and high findings only

wafpass check ./infrastructure/ --severity critical,high

CI/CD – exit code on findings

# Fails if critical findings are found
wafpass check ./infrastructure/ --fail-on critical

# For stricter pipelines: also block on high
wafpass check ./infrastructure/ --fail-on critical,high

Full output with assertion details

wafpass check ./infrastructure/ --verbose

Understanding the Output

A typical wafpass output:

WAF-SOV-010  Data Residency Policy        FAIL   critical
  ✗ aws_db_instance.main: missing tag 'data-residency'
  ✗ aws_elasticache_cluster.session: missing tag 'data-class'

WAF-SOV-020  Region Pinning               PASS   high
WAF-COST-010 Cost Allocation Tagging      FAIL   high
  ✗ aws_instance.web: missing tag 'cost-center'
  ✗ aws_instance.web: missing tag 'owner'

WAF-COST-020 Budgets & Alerting           PASS   medium
WAF-COST-040 Retention Lifecycle          FAIL   medium
  ✗ aws_cloudwatch_log_group.debug_logs: retention_in_days = 0

────────────────────────────────────────────────
Controls checked:  12     PASS: 7    FAIL: 4    SKIP: 1
Critical FAILs:     1     High FAILs: 1
Status Meaning

PASS

All assertions for this control satisfied

FAIL

At least one assertion not satisfied – finding with details

SKIP

Control not automatically checkable (e.g. governance controls) or no matching resource in scope

Manual Additions

Not all controls are automatable. Controls with automated: false (typically governance and process controls) require manual review:

Control type Manual review steps

WAF-COST-050 (Cost Impact Assessment)

Check ADR documents: does each ADR contain a cost impact section?

WAF-COST-060 (FinOps Review Cadence)

Check calendar entries and meeting notes of monthly/quarterly FinOps reviews

WAF-SOV-070 (Break-Glass)

Is the break-glass process documented and regularly tested?

WAF-SOV-100 (Exit Plan)

Is a current exit plan in place? Date of last test?

Phase 3: Evaluation

Prioritize Findings

Combine severity and maturity for an action matrix:

Critical High Medium / Low

Level 1 (Ad hoc)

Immediate – no deploy

Sprint goal

Quarter

Level 2–3

Immediate – no deploy

2 weeks

Opportunistic

Level 4–5

Exception process

Backlog

Ignore ok

Determine Maturity

The WAF++ Maturity Model has 5 levels. For each pillar a maturity level is derived from PASS rates per level:

Level Criterion Typical PASS rate

Level 1 – Ad hoc

No structured controls in place

< 30 %

Level 2 – Standardized

Basic controls in place, manual

30–60 %

Level 3 – Integrated

Automated checks, CI integration

60–80 %

Level 4 – Sovereign

Full automation, audit-ready

80–95 %

Level 5 – Optimized

Continuous improvement, metrics

> 95 %

The overall maturity is the minimum across all assessed pillars – a chain is only as strong as its weakest link.

Regulatory Classification

Each WAF++ control is mapped to regulatory frameworks (GDPR, BSI C5:2020, ISO 27001:2022, EUCS, GAIA-X). Use this mapping to put findings into compliance context:

  • GDPR Art. 32 – technical and organizational measures → primarily Pillar 1 + 7

  • BSI C5:2020 – infrastructure controls → Pillar 7 (Sovereign)

  • ISO 27001:2022 – ISMS controls → Pillar 1, 5, 7

  • EUCS – EU cloud certification → Pillar 7

The detailed mapping per control is in the Controls Catalog.

Phase 4: Remediation

Build an Action Plan

For every FAIL finding, wafpass recommends concrete remediations directly in the output (--verbose). Transfer the findings into your ticket system with the following fields:

Title:       [WAF-COST-010] aws_instance.web – missing tags cost-center, owner
Severity:    high
Control:     WAF-COST-010 – Cost Allocation Tagging
Resource:    aws_instance.web (compute.tf:9)
Finding:     Tags 'cost-center' and 'owner' missing
Action:      Add tags, integrate wafpass check in CI
Due date:    2 weeks
Owner:       Platform Team

CI/CD Integration

For continuous compliance, integration into the pipeline is recommended:

GitHub Actions

name: WAF++ Compliance Check

on: [push, pull_request]

jobs:
  wafpass:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install wafpass
        run: pip install wafpass

      - name: Run WAF++ checks
        run: wafpass check ./infrastructure/ --fail-on critical --pillar cost,sovereign

Pre-commit Hook

# .git/hooks/pre-commit
wafpass check ./infrastructure/ --fail-on critical --severity critical,high

Tracking and Repetition

An assessment is not a one-time event. Recommended cadence:

Trigger Action

Every pull request

Automated wafpass check (--fail-on critical)

Monthly

Full assessment of all pillars, maturity update

Before every release

Critical + High fully PASS

Before audit / certification

All controls PASS or documented exceptions

Further Reading