The State of Web Application Firewalls

Larry Ponemon

Web application firewalls (WAF) are essential to securing web-based applications and, as shown in this research sponsored by Cequence Security, are a necessary or critical piece of an organization’s security arsenal and infrastructure. Unlike traditional firewalls, WAFs analyze traffic and make decisions based on a set of predefined business rules. Traditional firewalls base their decision to allow or block traffic on simple parameters such as IP address or port number. WAFs mostly base their decision on an in-depth analysis of the HTML data.

Ponemon Institute surveyed 595 IT and IT security practitioners who are responsible for the deployment of a WAF in their organizations. Fifty-three percent of respondents are either responsible for application security (30 percent) or are application owners (23 percent).

The research clearly reveals WAF dissatisfaction in three areas. First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.

Attacks on the application layer are bypassing organizations’ WAFs. Sixty-five percent of respondents say attacks on the application tier are bypassing the WAF frequently or sometimes.

As a result, most organizations represented in this survey do not think their WAFs are effective in securing their web-based applications and are not satisfied with them.

When asked to rate satisfaction with their organization’s WAF on a scale of 1 = not satisfied to 10 = very satisfied, only 40 percent are very satisfied (7+ responses) due to the fact that only 43 percent of respondents say their WAF is very effective (7+ responses on the 10-point scale).

Part 2. Key findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following themes:

  • The difficulty in protecting Web, mobile and API apps
  • The challenge of WAF deployment and management
  • Features that improve the WAF’s effectiveness

The difficulty in protecting Web, mobile and API apps

 Organizations prioritize the protection of Web and mobile applications. Organizations represented in this research protect an average of 158 Web, mobile and API apps. The primary focus of application security is on Web (67 percent of respondents) and mobile (58 percent of respondents) applications. Thirty-seven percent of respondents say their organizations are protecting API services.

Organizations are more effective at protecting mobile applications. When asked to rate their organization’s effectiveness in protecting mobile applications and API services, 54 percent of respondents say they are very effective in protecting mobile apps versus only 38 percent of respondents who say their effectiveness in protecting API services is very high.

Mobile client applications are most likely to interact with organizational applications. Some 55 percent of respondents say mobile apps interact with their organizations’ applications followed by partners using APIs (36 percent of respondents).

Attacks are bypassing the WAF. In the past 12 months, 65 percent of respondents say attacks on their organizations’ application tiers have bypassed the WAF frequently (23 percent) or sometimes (42 percent).

The challenge of WAF deployment and management

 Security is the primary reason to invest in a WAF.  Organizations are spending an average of $419,100 on WAF products and/or services and an additional average of $200,500 for staff to manage WAF-related security issues. Organizations typically have 2.5 full-time employees to manage the WAF. On average, the staff spends 45 hours per week responding to alerts and 16 hours per week to creating and/or updating rulesets.

The top three reasons to invest in a WAF are the protection of the IT infrastructure (60 percent of respondents), prevention of attacks (56 percent of respondents) and the protection of data (54 percent of respondents).

Most WAFs used only for attack detection. Only 22 percent of WAFs deployed in the organizations represented in this study both detect and block attacks.

Currently, most WAFs are either an on-premises hardware appliance or managed appliance. About one third of respondents say their WAF is an on-premises hardware appliance and 21 percent of respondents say this is the ideal deployment. Twenty percent of respondents say an on-premises virtual appliance is ideal and 18 percent of respondents say a cloud-based WAF is ideal.

Read the rest of this study at the Cequence website.



Leave a Reply

Your email address will not be published. Required fields are marked *