1 Management Summary
The KuppingerCole Market Compass provides an overview of a market segment and the vendors in that segment. It covers the trends that are influencing that market segment, how it is further divided, and the essential capabilities required of solutions. It also provides ratings of how well these solutions meet our expectations.
Web Application Firewalls (WAF) are nothing new and have been around for quite some time to protect web applications through the inspection of HTTP traffic. Traditionally WAFs were used within organizations on-premises to protect both internal intranets as well as externally facing internet web applications. Over time organizations have grown to depend on web applications for doing business with business partners and customers, making it business-critical to maintain and protect a web application.
This Market Compass covers solutions that provide protection to web applications using a Web Application Firewall (WAF). These solutions provide the capability to protect web-based applications as well as its data, which are commonly found in small to large organizations. These solutions not only have to meet the most basic WAF requirements seen in the past but also provide more advanced capabilities to meet the new emerging IT requirements that protect against the evolving landscape of attacks seen today on the internet.
Traditional WAF solutions typically provide OWASP top 10 protection, signature-based detection of malicious attacks, traffic monitoring, white & blacklisting of IPs and URLs, as well as other basic capabilities. Advanced WAF capabilities have been added by vendors to keep up with the ever-changing attack vectors on the internet. For example, it is reported that over 30% of all online traffic is due to bots, in which roughly 20% of those bots among that website traffic are malicious. Some of these malicious bots even attempt to login to user accounts. Given these types of attacks, advanced WAF capabilities will be needed to distinguish between automated bots and real users as well detecting other abnormal activity using AI Machine Learning.
The WAF market today has become heterogeneous in regard to the deployment models. WAF solutions in today’s market are designed to offer comprehensive WAF capabilities regardless of the location of the IT environment and can support one or more environment types such as on-premise, cloud (public, private, multi-cloud), or hybrid deployment models.
Keeping up with new attacks using the traditional signature rule approach is a never-ending process that organizations need to keep on top of if they maintain their own WAFs. Other organizations realize the cost of this WAF maintenance overhead and/or don't have the specific resource skills or expertise in their organization to maintain them properly. For some, and a growing many organization, choose to use a managed WAF service to relieve them of the overhead maintenance and/or provide the needed expertise. Managed WAF services can vary in the degree of how much or how little they manage the WAFs depending on the customer's abilities to participate in the WAFs configuration and maintenance.
The essential capabilities that customers should look for in solutions must be on their requirements for protecting their web applications from malicious attacks. Baseline considerations should include capabilities that can scan and detect web attack signatures as well as providing protection from DDoS. Beyond the basic capabilities, some thought should be given on how more advanced web attacks can be discovered, such as Bots of various types and other unknown future attack vectors using AI/ML pattern recognition techniques. Further benefits can be gleaned from intelligence feeds regarding global web attacks against other organizations. In today's market, cloud-based WAF solutions have become competitive with the traditional on-premises WAF solutions and should be included in the evaluation list when selecting a WAF solution. Finally, depending on the depth and skill set of an organization's personnel, partial to full managed WAF service should also be assessed.