Most Organizations Are Dissatisfied with Their Web Application Firewalls (WAFs)
May 16, 2019

Franklyn Jones
Cequence Security

Only 40% of organizations are satisfied with their WAF, according to a new Ponemon Institute report – The State of Web Application Firewalls.

"The research clearly reveals WAF dissatisfaction in three areas," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they're experiencing the pain of continuous, time-consuming WAF configuration and administration tasks. Lastly, they're dealing with significant annual costs associated with WAF ownership and staffing."


The underlying data from the research provided more insight into each of these three areas:

■ Security – While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Perhaps not surprising, 86% experienced application-layer attacks that bypassed their WAF in the last 12 months.

■ Administration – Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.

■ Cost – The CapEx and OpEx costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

Despite the current frustrations of WAF users, they also indicated what specific improvements should be made to their WAF to improve overall effectiveness and satisfaction. Two important requirements emerged.

■ 72% of respondents would like to see more intelligence and automation integrated into their WAF.

■ 74% would like to see WAF functions integrated with other application security functions into an AI-powered software platform.

Intelligent automation and consolidation of application security functions are definitely two critical requirements we're seeing regularly with our hyper-connected customers, who rely on web, mobile and API-based applications to link customers, partners, and suppliers across their digital ecosystem. And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.

Methodology: The State of Web Application Firewalls report was completed in April 2019. The report is based on data gathered from 595 organizations across the US. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. Participating organizations span 16 vertical markets and the majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization.

Franklyn Jones is CMO of Cequence Security
Share this

Industry News

March 18, 2024

Kubiya.ai announces the launch of its DevOps Digital Agents.

March 18, 2024

Aviatrix® introduced Aviatrix Distributed Cloud Firewall for Kubernetes, a distributed cloud networking and network security solution for containerized enterprise applications and workloads.

March 18, 2024

Stride announces the general availability of Stride Conductor, its new autonomous coding product that transforms the software development landscape.

March 14, 2024

CircleCI unveiled CircleCI releases, which enables developers to automate the release orchestration process directly from the CircleCI UI.

March 13, 2024

Fermyon™ Technologies announces Fermyon Platform for Kubernetes, a WebAssembly platform for Kubernetes.

March 13, 2024

Akuity announced a new offer targeted at Enterprises and businesses where security and compliance are key.

March 13, 2024

New Relic launched new capabilities for New Relic IAST (Interactive Application Security Testing), including proof-of-exploit reporting for application security testing.

March 12, 2024

OutSystems announced AI Agent Builder, a new solution in the OutSystems Developer Cloud platform that makes it easy for IT leaders to incorporate generative AI (GenAI) powered applications into their digital transformation strategy, as well as govern the use of AI to ensure standardization and security.

March 12, 2024

Mirantis announced significant updates to Lens Desktop that makes working with Kubernetes easier by simplifying operations, improving efficiency, and increasing productivity. Lens 2024 Early Access is now available to Lens users.

March 12, 2024

Codezero announced a $3.5 million seed-funding round led by Ballistic Ventures, the venture capital firm dedicated exclusively to funding entrepreneurs and innovations in cybersecurity.

March 11, 2024

Prismatic launched a code-native integration building experience.

March 07, 2024

Check Point® Software Technologies Ltd. announced its Check Point Infinity Platform has been ranked as the #1 Zero Trust Platform in the latest Miercom Zero Trust Platform Assessment.

March 07, 2024

Tricentis announced the launch and availability of SAP Test Automation by Tricentis as an SAP Solution Extension.

March 07, 2024

Netlify announced the general availability of the AI-enabled deploy assist.

March 07, 2024

DataStax announced a new integration with Airbyte that simplifies the process of building production-ready GenAI applications with structured and unstructured data.