Organizations are more dependent than ever on web applications for doing business with partners and customers, which means that protecting web applications has become business critical, something that all organizations should be taking into account.

Web Application Firewalls (WAF), therefore, are as relevant as ever, if not even more important than when they were first introduced for their ability to protect against or block a long list of common traditional web attacks such as SQL injection.

Although they have been around for decades, WAFs cannot be discounted as outdated or irrelevant because the WAF market is evolving, maturing, and growing with new vendors entering the market and driving innovation.

WAFs have evolved over time to distinguish between automated malicious bots and legitimate users, to detect abnormal activity, and to protect application program interfaces (APIs) in a variety of ways.

WAFs are essential to ensuring web application security, with the most advanced WAFs becoming more intelligent by incorporating machine learning to go beyond basic core capabilities to include bot management, API protection, Distributed Denial of Service (DDoS) protection, and even virtual patching.

As noted above, organizations are increasingly dependent on web applications as a means of doing business, and therefore it is important that they are familiar with the technologies that are available for protecting these business-critical applications in a wide range of industrial sectors, including finance.

Every organization should ascertain their dependency on web applications, review the security of those applications, and evaluate if there is a need to deploy new/additional Web Application Firewalls or update existing ones to meet current business and security needs.

“ A focus on Application Programming Interfaces (APIs) has been steadily growing, and we are seeing the market covering the protection of APIs in multiple ways such as API gateways, Access Management solutions, and now WAFs are also filling the gap with their own API protection combining Web Application and API Protection (WAAP) capabilities.”

— Richard Hill, Lead Analyst, KuppingerCole.

Because we understand the importance of ­­­­­­­protecting business critical web applications, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.


A good place to start in learning more about how WAFs are relevant to modern business is the recently-published Leadership Compass on Web Application Firewalls, which provides an overview of the market, examines innovative approaches, and is designed to help you find the solution that best meets your organization’s needs.

Discover how WAFs can be used to enforce rate limiting on API and fulfil other useful functions to reduce fraud in this Leadership Compass on Fraud Reduction Intelligence Platforms. WAFs can also be used for consumer application protection, as detailed in this Leadership Compass on Consumer Authentication.

If you are interested in a deeper dive into the topic of protecting APIs, then this Leadership Compass on API Management and Security is essential reading.

Learn about other tools that can help you protect web applications by having a look at this Leadership Compass on Access Management.


To improve your understanding of where WAFs fit into IAM and their primary role, have a look at this Advisory Note on KuppingerCole’s IAM Reference Architecture.


If you would prefer to hear what our analysts have to say on the topic of Web Application Firewalls, have a listen this Analyst Chat about the newly-published Leadership Compass Web Application Firewalls referenced above, and hear about the challenges of explosive API growth without proper security controls in place in this Analyst Chat entitled: The Dark Side of the API Economy.


Web Application Firewalls are among the tools organizations use for Web Access Management, which includes managing access of employees and business partners. To learn more, have a look at this Webinar on Universal SSO: Strategies & Standards for Single Sign-On Across Web and Native Applications.


Learn how WAF’s fit into the context of network security by reading this Whitepaper on Securing your IaaS Cloud and find out how WAFs can be applied in the world of modern banking in this Whitepaper on Meeting PSD2 Challenges with Ergon Airlock Suite.

And find out more about the role of WAFs when it comes to designing a comprehensive and future-proof API security strategy, have a look at this Whitepaper entitled: The Dark Side of the API Economy. Alternatively refer to the Analyst Chat on this topic in the Audio & Video section.

Tech Investment

Organizations investing in technologies to protect their web applications and other assets, can have a look at some of the related technology solutions that we have evaluated: