Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Richard Hill. He is Lead Analyst with KuppingerCole Analysts in the United States. Hi, Richard. Good to have you.
Hi. Thanks for having me on.
Great to have you. And we want to talk about the topic, which at the first time you hear it, you think, okay, that was 15 years ago or it sounds like something like that. So we want to talk about web application firewalls and we want to talk about the most recent Ledership Compass that you've just completed and published. So if we think of web application firewalls, they are around for quite a while. So this is one of the security infrastructures that comes to my mind very, very soon when I think about protecting applications. And I started out by protecting applications from threats, by monitoring and filtering traffic. But having a Leadership Compass on that topic in 2022, that means that they are still an important market. So if we talk about threats today, what threats do web application firewalls protect applications from on the internet?
Well, yeah, as you mentioned, I mean, web firewalls, application firewalls are a bit around for quite a long time. They monitor the traffic and as they're inspecting the traffic, some of the things that they typically have traditionally looked at are things like, you know, is the SQL queries maybe are they cracked, or is there anything wrong with the JavaScript? And typically, this has been through basic core, what we call traditional WAF capabilities, where you would have a block list. And this block list would protect those against known vulnerabilities, as I just mentioned. And typically, these blocks lists are types of rules and policies that could be regular expressions that would detect specific patterns that may be considered malicious or hostile or bad and filtering them out. And there's also the reverse of that, which is positive security models, where they have rules on what kind of traffic instead of blocking but to let in. And really you need a combination of both to work effectively.
Right. So if we think of web application firewall as an infrastructure for today's digitalized world, what else is covered with this term? What are the capabilities on top of what you just described, that are nowadays included in the scope of this market segment? What are typically the capabilities apart from HTTP as filtering analysis and sometimes blocking?
Yeah. So as you know, I mean, again, traditionally in the past, web applications were not as popular as they are today. But today, just about every application out there is web based. And because of that, there's also been a growth of what's called bots, and these are little bits of automated type of software that would go out and do typically intended to do things like spider crawling the web for information or providing social media type of activity. And that I would consider a good use box. But as we see today, malicious actors are using those bots to perform other type of things like, you know, maybe a denial of service on a web application or using fake user information to try to log into a user account and then committing fraud. So as web applications have grown in popularity, so have the attacks on web applications. And they're becoming more intelligent as far as how they go about the attacks. And so as these attacks increase and the creativity of the attacks increase, you also have to put the protections in place that will anticipate or look at behaviors of typical users and then blocking out the ones that look malicious. And so this could be done through bot management and protection, which is really popular. Another area that we're seeing a lot of growth in is APIs. And because APIs are more popular, since we're orchestrating different systems together, and a lot of these systems are web based and a lot of these WAF solutions are starting to incorporate API protection, and rightly so, it's needed. So you'll start seeing not only these solutions being labeled as just web application firewalls or WAFs, but you're starting to see them as web app application and API protection or WAAP. So we're starting to see that shift in the market as well.
Right. And as you said, we are no longer in the age of the Web 1.0. So that's really functionality. There's APIs hidden behind this HTTPS. So this really is a natural development there as well. Are you seeing specific changes in the market when you compare this version of the Leadership Compass with previous research. What is still happening on that market segment?
Yeah. So when we looked at this as a Market Compass a couple of years ago and we looked at who were the companies that are providing solutions in this space? What were the type of capabilities that were available? We're also seeing, because of the number of denial of service type of attacks, some of these solutions now are coming with denial of service. But that also, denial of service protection, requires that you have these data centers and these data centers need to be globally available. So we're calling point of presence. So a solution may encounter for an organization that has many different customers globally, they would also require having these denial of service type of protection that would scrub all the HTTP traffic coming in before it hits the web application. But that also requires that they have this ability in different locations throughout the world. So a lot of the top vendors and solutions that we're seeing as leaders in this market have that capability and with that capability, there's also other things like the CDNs type of capability as well. So another type of capability that we're looking at is virtual patching. So as the number of vulnerabilities that come up and then their access, malicious attacks, sometimes it's a very short window of being able to plug that hole within a firewall. And so what they do is virtual patching. So as soon as they detect that vulnerability, they come up with a patch. And sometimes these vendors are able to implement those patches, allowing these organizations to be able to patch their systems on the back end when they're able to.
Right. And I talked to other colleagues about other aspects of security infrastructure, especially cloud delivered infrastructure and security infrastructure. As you've mentioned within your previous answer, this is mostly delivered from the cloud. But one trend that we see is trying to fill the skills gap by applying artificial intelligence, machine learning. pattern recognition. Is this something that is also adding to that market as well? Is this a trend? And is this really a functionality?
Sure. Yeah, it's definitely a functionality. So one of the things that we look at in this Leadership Compass is the level of intelligence within the WAF. And this means using kind of predictive analytics or using AI or machine learning to be able to look at patterns, user behaviors in detecting what is good traffic, what is bad traffic, and then being able to block it in an automatic format rather than trying to come up with all possible regular expressions that would be able to match a certain pattern which is untenable after a period of time, because there's just too many different attacks, too different, you know, it keeps changing over time. So really, this intelligence within the WAF is absolutely needed in a new modern type of web application firewalls. So also one of the benefits of having that type of intelligence is that they're able to detect these new type of attacks and then be able to remediate them by looking at the traffic through there. And a lot of it is JavaScript, so there's some intelligence there of understanding what type of attacks are capable through that avenue as well.
Right. And you've mentioned already that you're looking at the market segment as a whole. And just to give the audience an impression, who are the names that are players in that field? And maybe by not endorsing them, but just by mentioning them to show where are the players right now? What are some of the leaders? What are some of the organizations and vendors that you looked at during your analysis?
Yeah, some of the top leaders are companies like Imperva or F5 or Radware, Cloudflare excuse me and then Fastly. These are some of the top vendors with solutions that encompass everything that we're looking at. So not only the basic WAF capabilities that we talked about, but they also have the intelligence, the bot management, the DDoS protection, API protection, all the different capabilities that we see in the market today. They encompass a fairly good grounded solution set for a customer.
Right. With a market that has already matured over time, and of course, as we mentioned earlier, this is something that is around for quite a while. Are there still changes in this market regarding the vendors that are there, are there other new entries that do something better, different, more innovative than others? How large is the section of vendors to watch in this Leadership Compass?
Well, the number of vendors to watch, is over ten. But as far as vendors, new vendors coming into the market, there's a wide variety. So this market has been around for quite a while. So there's a lot of companies that have been around for decades, like Oracle or Palo Alto Networks. And one of the newer companies is Prophaze, and they've been only around since 2019 when there were established. But they also have a good set of capabilities that are out there. So there's still room to grow within this market and there's still growth within the market and there's still areas where innovation lies. As I mentioned, APIs is a very valid area where that capability could be added to a web application firewall as well.
Okay, great. Thank you very much, Richard, for giving that insight. Your Leadership Compass has just been published. It is available on our website. And of course, I need to mention that the audience can always go to kuppingercol.com and use the search engine and search for your Leadership Compass on web application firewalls. Or just to search for your name to get quick access to that. It's a download that you can get either with an existing subscription or you can just use the test subscription for 30 days and the full subscription. It's really affordable and there's lots of value for money, including your new Leadership Compass on web application firewalls. Any final thing that you want to mention around this, the web application firewall topic that struck you, something interesting that you came across during this research that you want to mention?
Well, as I mentioned, I mean, the increasing number of attacks and the different types of attacks I would see as a differentiator. Having that level of intelligence within the WAF is critical. One of the capabilities that we're seeing and one of the vendors that is very innovative, is providing what was kind of a bot challenge in order to make the use of bot management even more difficult for those malicious bot type of activity. And so we're... I think there's still room for innovation here. We're starting to see some new areas growing, as I mentioned, in WAF intelligence. So I think that's one area we could look for.
Interesting. Thank you very much, Richard, for spending your time with me for giving that insight into the Leadership Compass, for the diligent analysis and research work that you did. I'm looking forward to having you in an upcoming episode very soon. For today, thank you very much, Richard, for being my guest today.
Thank you.
Thank you. Bye bye.
Bye.
