Over the years, Web Application Firewalls (WAF) have become a mainstream application protection mechanism and as a result they enjoy a broad market penetration. However, as we have described before, WAFs are falling out of the limelight. Research firms such as Gartner started recommending other protection alternatives in 2017.
Some of the main drivers behind the push back are the WAF’s perimetral approach to protection, their pattern and rule-based engines, and lastly, a general lack of innovation. Additionally, developers do not benefit from a WAF, because they do not help to build secure applications.
Teams using WAFs are noticing these shortcomings, and they are expressing a growing chorus of dissatisfaction. For instance, the Ponemon Institute recently published the results of a primary research project (a survey of over 650 WAF users) [1] that highlights the reasons behind this frustration.
The top reasons why WAF users are dissatisfied:
1. Insufficient protection
According to Ponemon, 65% of respondents say attacks are bypassing the WAF. Even worse, only 9% of the survey respondents indicate that their WAFs have never been breached. We believe that this is caused by the architectural design of the WAFs (perimetral defense) and because they are focused on protection against exploit-based attacks. These drivers result in a low effective coverage of common risks such as the OWASP Top 10. Additionally, WAFs can not protect from design flaws such as Broken Access Control and Parameter Tampering.
2. False positives
WAFs rely on rules and blacklist models, and must “learn” the application during a configuration process. This approach is not effective and as a result WAFs often miscategorize legitimate traffic as malicious (false positive). This mistake significantly damages the user experience. In fact, 43% of Ponemon respondents indicate that their WAFs are in “Detection/Alert only mode,” which means that attacks will not be blocked.
3. Narrow scope
WAFs do not help developers to build secure applications. Based on the responses to the Ponemon survey, as many as 34% of WAF users claim that compliance is the main mission of the WAF, as opposed to vulnerability mitigation and/or attack protection.
4. Lack of cloud support
Ponemon respondents say that most WAFs are frequently deployed as hardware on-premise or as a managed appliance. This deployment style does not adapt well to the modern deployment strategies based on flexible cloud platforms. WAFs lock-in applications to static configuration models.
5. Resource-hungry
WAFs consume many resources from the organization because they are complex to maintain, and the licenses are costly. In fact, according to Ponemon, WAF management requires an average headcount of 2.5 FTEs, and an annual budget in excess of $400K.
Beyond the WAF
As we mentioned above, WAFs are mature and mainstream, but companies are unhappy with them due to the insufficient protection, frequent false positives, inability to support developers, lack of cloud support and broad consumption of resources.
We agree with Gartner [2], and we believe that WAF users should consider newer technologies such as Runtime Application Self-Protection (RASP) tools to address the limitations and sources of dissatisfaction described above.
We would like to hear your WAF experiences, good and bad. Drop us a line at gorka at hdivsecurity dot com.
Sources and related content:
[1] Ponemon Institute – “The State of Web Application Firewalls” (14 May 2019)
[2] Gartner – “Web Application Firewall market is ripe for disruption” (12 December 2017)
[3] Agile Protection: Above and Beyond the WAF
[4] Agile Protection for Software Development