The WAF market is growing, driven by the adoption of cloud-based WAF service. Enterprise security teams should use this research as part of their evaluation on how WAFs can provide improved security that is also easy to consume and manage, while respecting data privacy requirements.
Strategic Planning Assumptions
By 2020, stand-alone WAF hardware appliances will represent less than 20% of new WAF deployments, down from 40% today.
By 2020, more than 50% of public-facing web applications will be protected by cloud-based WAF service platforms, combining CDN, DDoS protection, bot mitigation and WAF, up from less than 20% today.
Market Definition/Description
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically that was the only way to perform some in-depth inspections. Today, other deployment modes exist, such as transparent proxy or network bridge. Some WAFs can also be positioned out of band (OOB, or mirror mode), and therefore work on a copy of the network traffic. Not every feature can work in all of these deployment choices, and reverse proxy is the most prevalent option for many organizations. In recent years, increased use by web applications of Transport Layer Security (TLS) encryption, based on cipher suites that require in-line traffic interception (man in the middle) to decrypt, have reduced the number of OOB deployments.
In recent years, WAF delivered as a cloud-based service directly by the vendor (cloud-based WAF service) has become a more popular option for a growing number of enterprises, beyond its initial target of midmarket organizations. Cloud-based WAF service combines a cloud-based deployment with a subscription model. The customers might also select a vendor’s managed services for its cloud-based WAF service, or be forced to use it because it is a mandatory component of the offering. Some vendors have chosen to leverage their existing WAF solution, repackaging it as SaaS. This allows vendors to have a cloud-based WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native cloud-based WAF service offerings. One of the difficulties with this approach is simplifying the management and monitoring console to meet clients’ expectations. Cloud-based WAF service, built to be multitenant and cloud-based from the beginning, could avoid costly maintenance of legacy code in the long term. It also provides a competitive advantage with faster release cycles and rapid implementation of innovative features. One of the main challenges for users consuming cloud-based WAF service built separately is the absence of a unified management console to support hybrid scenarios.
When speaking with clients about WAF adoption, Gartner observes occasional confusion with the application control feature (application awareness) present on network firewalls. The primary WAF benefit is protection for custom web applications’ “self-inflicted” vulnerabilities in web application code developed by the enterprise, and protection for vulnerabilities in off-the-shelf web application software. These vulnerabilities would otherwise go unprotected by other technologies that guard mainly against known exploits (see “Web Application Firewalls Are Worth the Investment for Enterprises” ). Most attacks on these corporate applications come from external attackers.
This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:
- Purpose-built physical, virtual or software appliances
- WAF modules embedded in application delivery controllers (ADCs; see “Magic Quadrant for Application Delivery Controllers” )
- Cloud-based WAF service, including WAF modules embedded in larger platforms, such as content delivery networks (CDNs)
- Virtual appliances available on infrastructure as a service (IaaS) platforms, and WAF solutions from IaaS providers
API gateway, bot management (which includes bad-bot mitigation and good-bot whitelisting) and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budget. This motivates WAF vendors to add relevant features from these adjacent markets when appropriate; for example, cloud-based WAF services often bundle web application security with distributed denial of service (DDoS) protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), database monitoring, or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, like ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer’s security needs when it comes to web application security. This notably includes how WAF technology:
- Maximizes the detection and catch rate for known and unknown threats
- Minimizes false alerts (false positives) and adapts to continually evolving web applications
- Ensures broader adoption through ease of use and minimal performance impact
- Automates incident response workflow to assist web application security analysts
- Protects public-facing, as well as internally used, web applications and APIs
In particular, Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (such as ModSecurity) would do by leveraging a rule set of generic signatures.
[to continue, click HERE]