Most Organizations Are Dissatisfied with Their Web Application Firewalls (WAFs)
May 16, 2019

Franklyn Jones
Cequence Security

Only 40% of organizations are satisfied with their WAF, according to a new Ponemon Institute report – The State of Web Application Firewalls.

"The research clearly reveals WAF dissatisfaction in three areas," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they're experiencing the pain of continuous, time-consuming WAF configuration and administration tasks. Lastly, they're dealing with significant annual costs associated with WAF ownership and staffing."


The underlying data from the research provided more insight into each of these three areas:

■ Security – While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Perhaps not surprising, 86% experienced application-layer attacks that bypassed their WAF in the last 12 months.

■ Administration – Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.

■ Cost – The CapEx and OpEx costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

Despite the current frustrations of WAF users, they also indicated what specific improvements should be made to their WAF to improve overall effectiveness and satisfaction. Two important requirements emerged.

■ 72% of respondents would like to see more intelligence and automation integrated into their WAF.

■ 74% would like to see WAF functions integrated with other application security functions into an AI-powered software platform.

Intelligent automation and consolidation of application security functions are definitely two critical requirements we're seeing regularly with our hyper-connected customers, who rely on web, mobile and API-based applications to link customers, partners, and suppliers across their digital ecosystem. And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.

Methodology: The State of Web Application Firewalls report was completed in April 2019. The report is based on data gathered from 595 organizations across the US. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. Participating organizations span 16 vertical markets and the majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization.

Franklyn Jones is CMO of Cequence Security
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.