Most Organizations Are Dissatisfied with Their Web Application Firewalls (WAFs)
May 16, 2019

Franklyn Jones
Cequence Security

Only 40% of organizations are satisfied with their WAF, according to a new Ponemon Institute report – The State of Web Application Firewalls.

"The research clearly reveals WAF dissatisfaction in three areas," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they're experiencing the pain of continuous, time-consuming WAF configuration and administration tasks. Lastly, they're dealing with significant annual costs associated with WAF ownership and staffing."


The underlying data from the research provided more insight into each of these three areas:

■ Security – While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Perhaps not surprising, 86% experienced application-layer attacks that bypassed their WAF in the last 12 months.

■ Administration – Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.

■ Cost – The CapEx and OpEx costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

Despite the current frustrations of WAF users, they also indicated what specific improvements should be made to their WAF to improve overall effectiveness and satisfaction. Two important requirements emerged.

■ 72% of respondents would like to see more intelligence and automation integrated into their WAF.

■ 74% would like to see WAF functions integrated with other application security functions into an AI-powered software platform.

Intelligent automation and consolidation of application security functions are definitely two critical requirements we're seeing regularly with our hyper-connected customers, who rely on web, mobile and API-based applications to link customers, partners, and suppliers across their digital ecosystem. And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.

Methodology: The State of Web Application Firewalls report was completed in April 2019. The report is based on data gathered from 595 organizations across the US. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. Participating organizations span 16 vertical markets and the majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization.

Franklyn Jones is CMO of Cequence Security
Share this

Industry News

March 04, 2021

GrammaTech announced a technology partnership with GitLab, the single application for the DevOps lifecycle.

March 04, 2021

Exadel announced that Sun Capital Partners, a private investment firm, has completed an acquisition of the company.

March 04, 2021

Palo Alto Networks completed its acquisition of Bridgecrew, a developer-first cloud security company.

March 03, 2021

Red Hat announced the latest release of Red Hat Process Automation, which delivers new developer tooling, extended support for eventing and streaming for event-driven architectures (EDA) through integration with Apache Kafka, and new monitoring capabilities through heatmap dashboards.

March 03, 2021

Leaders of the software development industry announced the formation of the Value Stream Management Consortium (VSMC).

March 03, 2021

Delphix and GenRocket announced a technology alliance designed to fulfill the needs of enterprise customers who desire a comprehensive test data solution that improves software quality.

March 02, 2021

JFrog announced that its DevOps Platform tools – JFrog Artifactory and JFrog Xray – are available with native deployment templates for customers using AWS GovCloud (US) and Azure Government clouds.

March 02, 2021

Spectro Cloud announced support for existing Kubernetes environments, including clusters on public cloud services such as Amazon EKS, Azure AKS and Google GKE, has been added to the Spectro Cloud Kubernetes management platform.

March 02, 2021

Idera announced the acquisition of PreEmptive Solutions, LLC, a provider of application protection and security.

March 01, 2021

CloudBolt Software announced the launch of OneFuse Community Edition, a free version of its codeless integration platform for automating, integrating, and extending private and hybrid cloud infrastructures.

March 01, 2021

DBmaestro launched support for Snowflake, the Data Cloud company.

March 01, 2021

Platform9 closed Series-D funding with an additional $12.5 million for a total of $37.5 million.

February 25, 2021

Red Hat announced Red Hat OpenShift 4.7, the latest version of the company’s enterprise Kubernetes platform.

February 25, 2021

Granulate announced the release of its open-source platform, the G-Profiler, a production profiling solution that measures the performance of code in production applications to facilitate compute optimization.

February 25, 2021

Checkmarx announced the launch of KICS (Keeping Infrastructure as Code Secure), an open source static analysis solution that enables developers to write more secure infrastructure as code (IaC).