The WAF Market Is Broken – Should You Care?

Max Pritchard

A WAF, standing for a Web Application Firewall, serves the purpose of protecting one or more web applications from being breached. They are widely deployed amongst businesses to help keep company records and customer information secure. Gartner notes that customers characterised WAFs as regularly being ‘frustrating’ and ‘a disappointment’. As the web becomes more complex, it’s becoming increasingly difficult for hardware vendors to meet existing and evolving requirements, such as moving web applications to cloud infrastructure (IaaS).

The WAF Market According to Gartner

These recent findings come from a study by Gartner about the current state of the WAF market, who along with Veracode conducted software vulnerability tests on hundreds of current web applications. Gartner is well-known in the industry for its reports on current issues. It’s Magic Quadrant analysis system plots vendors on a graph of ‘completeness of vision’ and ‘ability to execute’ in a particular market. In the case of the WAF market, Gartner quoted that it is ‘ripe for disruption’; I think it is already broken.

The broken WAF market
Ripe for disruption, or already broken? The state of the WAF market is not looking good…

If you’re interested in finding out more about Gartner’s report, more information can be found on their website.

The Evolution of The Web

To understand the downfall of the traditional WAF market, we must first look at the history of web security, and how the need for protection has changed over the years. After the birth of the web nearly thirty years ago, if you even had a web server at all it was very simple and not interactive. The company website would be kept on a computer, perhaps in the head office, with one copy on a floppy disk or tape. Attacks were rare and limited to defacement or Denial of Service; there wasn’t much need for protection beyond a basic firewall and no real consequences came from losing the site.

From the turn of the millennium, websites were becoming much more complicated, with the increased use of data centres and third parties involved in the design and building processes. Attacks became more aimed at stealing and selling data, for example, credit card information through SQL injections, cross-site scripting and credential misuse.

In 2004, PCI compliance for sites using credit card payments appeared requiring firewalls, IPS and encryption. Website security fragmented into discrete capabilities;

– DDoS mitigation
– SSL off-load
– WAFs
– Traditional firewalls
– Intrusion detection
– Prevention

This gave rise to unified threat management devices (UTMs) and load balancers, combining some security services alongside their primary features.

Since 2010 websites have become extremely complex, dynamic and host multiple APIs. There are many more threats and sites commonly attacked by multiple vectors; DDoS, data theft and malware injection to name just a few. The security industry remains fragmented, meaning there is an ever-increasing number of vendors providing discrete solutions for these issues.

You may also like: Webinar: Analysts Agree*: The WAF Market Is Ripe For Disruption in 2018 – What Are The Experts Recommending & Are You GDPR Battle Ready?

The Problem Today

The amount of security breaches caused by hacking has increased by huge proportions since 2006, with reports of data breaches from websites growing exponentially since 2010. Even today, millions of pieces of data are still being lost due to hacking and other reasons, such as poor security and accidental publishing. Visualisations of high profile data breaches such as that found on informationisbeautiful.net show this explosion is lost data.

One fundamental issue is the increase in code complexity. Not all application developers test their code before deployment, which is created using a patchwork of code from different developers. Security holes are often only discovered later; it is a race against time for the researchers to discover the flaws before the hackers do.

Veracode also stated that around two-thirds of web applications today leak data when testing. The EU General Data Protection Regulation (GDPR) doesn’t specify any compulsory technologies. It requires demonstration of cost-effective, modern information systems that are secure and effective against the latest types of attacks, demanding that regular tests are conducted.

Unfortunately, the current situation, according to Gartner, is that the solutions are only suitable for the 2005 web, not present day.

Every month there are countless examples of companies suffering a security hazard and losing data. In the security industry, it is a rule of thumb that breaches are inevitable. For example, in 2018, Under Armour lost 150 million user records, and subsequently lost 3% of share value and are now facing lawsuits. This shows just how important it is for companies to be fully up to date on their website security.

The trends of 30 years of the web have been there to see. There has been a lot of change, with various factors increasing or decreasing, greatly affecting the demand for better web security. The increasing factors include;

– Cloud adoption – much harder to visualise and secure
– Code complexity
– Value and amount of information transacted online
– Third parties
– APIs
– Regulation and impact of breaches

On the other hand, the decreasing factors are as follows;

– In-house IT staff
– Workers specialised in security
– Job security
– The effectiveness of traditional web security

Overall, the risks are up, and security is down.

Gartner’s Findings and Suggestions on The WAF Market

Gartner’s research into the market produced some results which don’t reflect well on the current state of our web security. Overall,

– WAF buyers routinely expressing disappointment
– Many products still lagging
– Buyers are shifting to service-based offerings – poorly supported by device-led protection
– IaaS demand is growing

To overcome some of the current issues outlined in the findings of their report, Gartner has stated that the WAF market must transform into a Web Application and API Protection (WAAP) market. Vendors will need to make a distinction between device based WAFs and the new WAAPs. Successful WAAP solutions will be cloud and service led innovative with a subscription model – adaptable to the modern complex web market and evolving threats.

My Suggestions for WAFs

From speaking to customers, I have discovered a few things that I think are needed in order to repair the current state of the WAF market. Protection is needed for modern web applications, typically not a device or piece of software, that can deal with multi-layer attacks and protect all web properties and APIs. Increased automation (AI), professional integrated support and reduced admin overhead are all ways that a higher level of security could be achieved over time.

activereach aims to provide the most up-to-date and advanced technology in the evolving security market. We scour the domestic and international markets for services that we can deploy to solve our customers’ security problems, including the web application security problem.

If you would like to find out more about the protection we can provide here at activereach, please take a look at our activeDEFENCE solution pages on WAFs.

This article summarises the content of a webinar conducted in June 2018 by activereach, in conjunction with cloud security technology vendor, Oracle Dyn. The webinar examines the current state of the WAF market as reported by Gartner in December 2017. The webinar recording can be viewed here.