Web Application Firewall: a must-have security control or an outdated technology?

Garter’s Magic Quadrant (MQ) 2015 for Web Application Firewalls (WAF) estimates that the global WAF market size is as big as $420 million, with 24 percent annual growth, making a Web Application Firewall one of the most popular preventive and/or detective security controls currently being used for web applications.

PCI DSS 3.1 requirement 6.6 suggests WAF deployment as an alternative to vulnerability scanning while ISACA’s “DevOps Practitioner Considerations” includes WAF in the 10 key security controls that companies need to consider as they embrace DevOps to achieve reduced costs and increased agility.

Nowadays, a number of large and midsize companies offer various WAF solutions, usually packaged together with DDoS protection, CDN, ADC and other related offerings. Amazon Web Services (AWS) has itself recently launched its own WAF service.

Gartner predicts that by 2020, more than 60 percent of public web applications will be protected by a WAF. However, in 2015 Gartner had only one vendor listed in its WAF MQ as a Leader (Imperva), and only two vendors listed as Visionaries (DenyAll and Positive Technologies). All other vendors are either Niche Players or Challengers. Many more WAF vendors were simply not present in the MQ for not meeting the inclusion criteria.