Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. Today we want to talk about a topic that has been around for quite a while. But I think you want to learn more about that topic. We want to talk about WAFs, Web Application Firewalls, and their evolution towards a new market segment, an extended market segment. And we want to learn about that new four-letter acronym which is called, I hope it's called WAAP with lots of A's in the middle. For this, I've invited my colleague Osman Celik. He is an Analyst with KuppingerCole Analysts and he has made some recent research on that topic. Hi, Osman, good to have you.
Hi Matthias, I hope you're doing well first of all. Yes, to start with the WAF market, it's also funny for me to pronounce, if I have to pronounce WAAP because it sounds like the WAF itself. And I found that a bit simple solution for that. I call it W-A-A-P so that everyone gets a clear idea of what I'm talking about.
The spelling we know as well, so it's a four letter acronym, two A's in the middle, W in the beginning, P at the end. And that is where we are moving now. So what's behind that, that evolution between moving from a WAF, the traditional web application firewall, and everybody knows about that. How has that topic, how has that technology evolved with the changing cybersecurity challenges that we all have now.
That's good question. So as you mentioned earlier, I have recently finished working on this report and I actually gained some useful insights throughout my research because first we try to identify how the market is evolving and if the solution requirements are changing, the capabilities are evolved, etc. And we always need some traditional tools to protect our IT environments. And that's why we have the WAFs around for quite some time already. And meanwhile, we have organizations growing and then the way of doing business is changing. We have now, we have to secure our APIs, we have to secure our supply chain security and so on. So over the time, organizations are now doing more business with customers through the web applications. And now it's more critical to secure those WAFs. And since the beginning of time and since the emergence of WAF, they provide protection against some sort of vulnerabilities, the common ones like SQL injections and cross-site scripting, et cetera. But on top of that, we have these emerging threats that are being updated every year and we expect WAF for example to answer those, address those new threats and emerging threats as well like some of them are listed in the this famous top list that is generated by OWASP for example or SANS and we have to see that WAF is addressing those threats as well. And on top of that, we also need to make a distinction between the traditional WAF and then the new WAF, so-called. So with this new WAF, we also expect a WAF solution to DDoS protection, for example, in different layers. For example, layer two, layer three, four, seven attacks. And we see that in the market there are still some vendors that do not really answer all sort of layers. And this is one of the required capabilities, for example, we expect from vendors to provide. On top of that, we also have lots of emerging bots threatening our businesses. They are daily businesses. And at the same time, we also see vendors also providing mechanisms for that in order to mitigate those attacks. And speaking of bot production, again, I think that this was one of the parts that I highlighted the most in my report because we can now utilize AI and machine learning and other sorts of mechanisms beyond just the signature-based detection to to deal with the bot attacks. And finally, I could say API protection is what makes WAF a modern one. But I think that I'm going to elaborate that on later on. I think that you have a specific question for that. But to wrap it up, I would say that WAF is expected to serve for more complex scenarios and use cases.
Right. And if you look at the original definition of a web application firewall, it basically is a protection for web-based application. It wraps applications into a security layer and it makes sure that it prevents all these attacks that you've mentioned, OWASP is famous for that, to prevent those and to protect these applications because they typically represent core business functionalities that just need to be protected. So web application firewalls have been around for quite some while and even those practitioners who are in the cybersecurity market for, I say, 15 years, 20 years, they have seen web application firewalls early on. So these functionalities still are required. So web applications are core elements. And if I remember your report correctly, it's a growing market. It's still a growing market, but it's also from a functionality point of view, and expanding market functionality wise. So what are the key differences? You've hinted already at that. So what is added now to this traditional wrapping up an application into a security layer and maybe doing some authentication? What else has been added? You've mentioned API protection, but there should be more.
Yeah, you're totally right about the market sizing, first of all. And API protection plays a key role here, I guess, because it really kind of combines two technologies together now. And we see that companies are using APIs more and more in their daily tasks, and I think this is inevitable now. And WAAP is a is a good way of dealing with that complex scenarios. And I can also say that from my observation, the market is also shifting from WAF to WAAP. And I've seen that many vendors are actually combining WAF together with API protection. And then under a single unified platform, they offer their WAAP solutions. But I also saw that some WAF vendors claim to be next-gen WAF. I think this is arguable a bit because, what is next-gen? It's kind of, for me, subjective and not objective at all. And it really depends on if you can actually deal with the 2024 standards and maybe provide some future proof technologies. And I expect more vendors to convert to a WAAP approach in the future also. And WAAP definitely provides more comprehensive defense against the sophisticated attacks coming from API side, especially. And I think that also eliminates the limitations of the traditional WAF as well.
Right. And so the good thing is that we have you as the analyst who can really drill through these marketing terms and push them aside and really look at what is required. You did the hard analyst work. You defined entry criteria that are required for being a product that is an actual WAF, no matter if it's next gen or something else, but it really qualifies for your report. Looking at these key capabilities that you expect from an application or from an infrastructure, security infrastructure that qualifies as a WAF with or without WAAP. What are you looking at and what was the entry criteria for being listed in your report?
Yeah, so basically we set several criteria and based on those criteria, we shaped how we evaluate the market and also the participants in our research. And that kind of gives us an idea of how and why some features are still important. And I would like to begin with the core WAF, actually, capabilities, because we talked about traditional WAF as if it's something bad, like something negative, but it's not, because it's really up to what an organization needs. An organization might be just fine with the traditional WAF and what it brings to your organization. So that's a must to have, and still. So you need to have some strong core functions of WAF still. But on top of that, especially for larger enterprises, Unity has some advanced WAF capabilities. Like I listed, like DDoS protection, advanced bot protection, API protection and discovery, and so on. And on top of that, we also see that not only in the WAF market, but also in other markets as well, the utilization of threat intelligence, because you need to understand, you know, what's going on, where it is going, and then how attacks are emerging and forming and trying to understand, in some cases, we also need to understand the mindset of the attackers. So threat intelligence really helps us with that in this case. And we see that many of WAF vendors are also integrating threat intelligence into their solution. Sometimes out of the box, but natively, but sometimes they also provide integrations to threat intelligence solutions, which is also fine. And another critical capability I could think of is the dashboards, for example. It might sound simple, but as a user, you need to understand all attacks and alerts. And now we utilize a lot of machine learning and we need to see some... we have lots of insights, but we need to be able to understand them as well. A dashboard with the options to customize, that's also a nice thing. So a solid dashboard is really required if you ask me. And of course we can think about like the diverse deployment options because you never know as an organization what you will need in the future. If you need to scale up or scale down, or if you need a hybrid solution at some point, et cetera. And on top of that, we expect some vendors to deliver some more modern architecture. Like you have to provide support for counter -nice environments, or you have to provide some modular architecture, et cetera. And lastly, I can also say that we need WAF support in terms of compliance. The WAF solution can actually help you with complying with regulations and there you need some reporting capabilities. So you need to understand really what's going on and to prioritize which actions to take first. And in some cases, all stakeholders in an organization should understand the situation of, there's a cyber threat landscape in this case, and take actions accordingly. So we need solid reporting as well, I would say.
So we're seeing WAFs, no matter how we call them now, really getting broader when it comes to functionality, but also when it comes to integration into enterprise cybersecurity architectures. You've mentioned the signals that come out of such a system. Of course, they need to be processed afterwards in a SIEM, a SOAR. This is information, but then also should feed back into the web application firewall because this is valuable information for next threats that are arising. So, this threat detection, this threat intelligence, this works best when it's well integrated. And I think all the functionalities that you've mentioned are really important. And maybe one additional question when we look at the market, you've mentioned it grows. Does this also change? Are there new vendors, maybe from the threat intelligence aspect or from other aspects that join that market or at least contribute to that market? And would you say it's a mature market? Or it's a mature plus plus market because it's evolving? What is your feeling towards the market and the participants in that market?
Okay, so it's a mature market, I would say, and we expect some growth in this market because WAF is an essential tool to any organization. together with the API protection, that's becoming more important. And I expect more organizations to adopt it and use it. But in terms of the vendor landscape, I see big players dominating the market. And there's a small chance for regional or startups, I would say. But throughout my research, I have also came across with solid startups that are doing a pretty good job in this market.
Final question, of course, we need to have that question since 2024 and adding functionality in many products. You know what I'm aiming at. Many products are building into it and weaving into it AI, machine learning to add another layer of security, add another layer of reliability, of adaptability. I would assume that is also a promise that these products come with, right?
Yeah. And on top of what you have just said, I could say that generative AI is especially a thing of 2024. But unfortunately, I haven't seen any vendor implementing or has already implemented a generative AI tool or a chat box into their solution yet. But AI and ML is definitely utilized effectively by many vendors. And it's because it provides you the insights that your SOC teams would otherwise work very hard to get. And now it's like they are changing the roles. Now machine learning especially does the job for your SOC teams. So SOC teams can just try to understand what to prioritize, you know, and reduce the false positives and then concentrate on what really matters for their organization. And like on top of reducing false positive, would say insights that we gather from AI and ML also recommend you how to treat an attack, how to detect it, how to block it. And it kind of gives you the instructions of how to deal with an attack step by step. And in terms of the models, it will be too much detail for now and I could name a couple of them, but I have to say that every vendor that I have researched on is utilizing a different ML model, at least I would say. And some of them are their own models, proprietary models, and some of them are employing generic ones, but there is plenty of models that are being utilized by WAF vendors, I would say. And most of them are self-learning mechanisms. And one last thing I can say is that I've noticed that machine learning especially is mostly used for bot detection. And I think that kind of facilitates the bot management as well. And the last thing, actually, I can say one more thing and some vendors are also using deep learning nowadays but this is something that we don't think a must-have feature at the moment but maybe for the future.
Right, so to sum it up, we have some very good old technology being extended with mechanisms that deal with the next generation of threats that we have to deal with, well integrated into an overall cybersecurity strategy. So that sounds like an interesting topic. So everybody who's interested in that topic, first of all, if you have questions, just reach out to Osman or to me. If you have immediate questions to the that podcast episode, please just leave a comment. If you're watching this on YouTube, just leave a comment in the comment section. If you are listening to that somewhere else, just reach out to us. Our email addresses are easy to find. We are really interested in learning your questions, your feedback, your comments. And if you have requests for additional information, Osman is here to serve, I am here to serve. And finally, of course, the report is out there. It's published, it's available on our website. So if you search for Osman's name or for web application firewall or for WAAP. Then you will find that report on our website and it's available and I just can highly recommend it. The market segment is much more interesting than it sounds at first sight. It's really an interesting market. It's a changing market. It's a modern market. And I think you, Osman, have given proof for that. Any final comments that you want to give before we close down?
Well, of course, I would say that the WAF is going to be a solution around, but in the names of WAAP in the upcoming years. And I think that's inevitable for many vendors to stay competitive in the market. And they probably will have to bring API protection capabilities with time. And... I can say that vendors are trying hard to catch up with today's standards. I've seen lots of vendors trying to bring something new to the table in their roadmap items. I would say this is going to be a challenging part for them, but that's something they have to do to stay alive in the market because the large vendors are dominating the market and I think if they want to have their chance, they have to catch up with what is expected from them. And we try to also help not only the customers, but also the vendors to understand the market landscape so that they can provide those capabilities for customers who want to be future-proof. And one last thing, by the way, when you mentioned my name, I think we should also remind our audience that Alexei Balaganski, our colleague, he also recently worked on API protection. And if you want to learn more in detail about API protection solely, I think you should also go check his research that's been recently published. And yeah, that should be it from my side. Thanks, Matthias.
Fascinating. Thank you very much, Osman, for being my guest today, for sharing some light on that changing and interesting and really modern market of web application firewall, hinting at Alexei's research when it comes to API protection. Looking forward to having you soon back on that podcast, and thank you for your time. Thanks, Osman.
Likewise. Thank you. Bye bye.
