All Research
Leadership Compass
I like this
I don't like this

Web Application Firewalls

Osman Celik
This report provides up-to-date insights into the Web Application Firewall (WAF) market. We examine the market segment, vendor service functionality, relative market share, and innovation to help you to find the solution that best meets your organization's needs.

1 Executive Summary

Web Application Firewalls (WAF) have been around for quite some time to protect web applications by inspecting HTTP traffic. Traditionally WAFs were used within organizations on-premises to protect both intranets and externally facing web applications. Over time organizations have grown to depend on web apps for doing business with partners and customers, making it critical to maintain and protect these applications.

Since the beginning, WAFs provided protection against a list of common types of web attacks, such as SQL injection and cross-site scripting, using pattern-matching techniques against the HTTP traffic. As the list of attack types continued to grow, the OWASP (Open Web Application Security Project) provided insight into the most critical security risks to web applications to guide developers in minimizing these risks. WAFs also protect against connection-based DDoS (Distributed Denial-of-Service) attacks that overwhelm or disrupt normal web service traffic.

More commonly known as bots, software robots perform repetitive tasks and can imitate human user behavior. What began as a means to perform useful automated tasks quickly became a tool for malicious web attacks. For example, it is reported that nearly half of all online traffic is due to bots, in which roughly over a quarter of those bots is malicious. Some of these malicious bots even attempt to log into user accounts. Given these types of attacks, advanced WAF capabilities are needed to distinguish between automated bots and real users and detect other abnormal activities using AI (Artificial Intelligence) and ML (Machine Learning), for example. A focus on APIs (Application Programming Interfaces) has been steadily growing, and we are seeing the market covering the protection of APIs in multiple ways, such as API gateways, Access Management solutions, and now WAFs are also filling the gap with their API protection combining Web Application and API Protection (WAAP) capabilities.

The cybersecurity industry is shifting from WAF to more comprehensive WAAP solutions. While some solutions claim to be next-generation WAFs, there is an increasing focus on WAAP solutions. This shift includes advanced features that create more comprehensive defense mechanisms and encourage vendors to adjust their offerings to meet new standards of WAAP. WAAP integrates WAF capabilities together with API security, advanced bot protection, and DDoS protection to address the limitations of traditional WAFs. Specifically, it improves the detection and mitigation of sophisticated bot attacks and protects APIs.

Nowadays, cyber threats have become increasingly complex. APIs have also become more critical to the web infrastructure. WAAP addresses these new challenges with defense strategies that also include ML for adaptive threat and bot detection. The transition to WAAP is not only an upgrade but also a strategic move to better protect digital assets. It presents a proactive approach to securing web applications, equipping organizations with the necessary tools to stay ahead of cyber criminals and comply with evolving regulatory standards.

This KuppingerCole Leadership Compass covers solutions that protect web applications and their data using a Web Application Firewall (WAF), commonly found in small to enterprise organizations. These solutions must meet the most basic WAF requirements seen in the past while providing more advanced capabilities to meet the new emerging IT requirements that protect against the evolving landscape of attacks seen today. To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.

1.1 Highlights

  • The WAF market is growing, and although maturing, it continues to evolve due to the constantly changing landscape of attacks.
  • WAF has increasingly become essential to organizations as a strategic approach to ensure protection of their business applications.
  • The level of WAF intelligence has become a differentiator between WAF product solutions.
  • Beyond basic core WAF capabilities, bot management and API protection are two capabilities of emphasis for many of the products evaluated in this Leadership Compass.
  • Some level of web performance enhancement appears as a differentiator between WAF product leaders and challengers.
  • Innovation in this market extends beyond the new WAAP approach, which improves web application security with API protection and discovery. Innovative vendors are increasingly offering proactive vulnerability remediation, fraud detection, DLP, virtual patching, and the use of advanced ML algorithms to manage malicious traffic as standard features.
  • The Overall Leaders (in alphabetical order) are AWS, Cloudflare, F5, Fortinet, Imperva, Prophaze, and Radware.
Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Register
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use