Report: Most Organizations Are Dissatisfied With Their Web Application Firewalls (WAFs)

By   ISBuzz Team
Writer , Information Security Buzz | May 15, 2019 01:19 pm PST

Ineffective protection, time-consuming management, high cost of ownership all play a role  

Cequence Security, a provider of innovative software solutions that protect web, mobile, and API-based applications from cyberattacks, today released a new Ponemon Institute report – “The State of Web Application Firewalls”- showing that only 40% of organizations are satisfied with their WAF. The report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. 

 “The research clearly reveals WAF dissatisfaction in three areas,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.” 

The underlying data from the research provided more insight into each of these three areas: 

  • Security – While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Perhaps not surprising, 86% experienced application-layer attacks that bypassed their WAF in the last 12 months. 
  • Administration – Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security. 
  • Cost – The CapEx and OpEx costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

    Despite the current frustrations of WAF users, they also indicated specific improvements that should be made to their WAF to improve overall effectiveness and satisfaction. Two important requirements emerged. 

  • 72% of respondents would like to see more intelligence and automation integrated into their WAF. 

74% would like to see WAF functions integrated with other application security functions into an AI-powered software platform.

“Intelligent automation and consolidation of application security functions are definitely two critical requirements we’re seeing regularly with our hyper-connected customers,” said Franklyn Jones, CMO of Cequence Security. “They rely on web, mobile, and API-based applications to link customers, partners, and suppliers across their digital ecosystem. And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.”

Cequence protects its customers against automated attacks, malicious bots, and application vulnerability exploits with its Application Security Platform (ASP), a container-based software solution that can be deployed on premises or in the cloud. The intelligence of the platform resides with CQAI, a patented machine learning analytics engine that automatically discovers applications deployed across the organization, detects attacks targeting those applications, and defends against the attacks using a variety of automated mitigation techniques.

The State of Web Application Firewalls report was completed in April 2019. Participating organizations span 16 vertical markets and the majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization. To access the complete report, please click here.