Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost

Only 40% of organizations are satisfied with their web application firewall (WAF), according to the Ponemon Institute report released by Cequence Security.

dissatisfied WAF

The State of Web Application Firewalls report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud.

“The research clearly reveals WAF dissatisfaction in three areas,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

“First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.”

The underlying data from the research provided more insight into each of these three areas:

  • Security – While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Perhaps not surprising, 86% experienced application-layer attacks that bypassed their WAF in the last 12 months.
  • Administration – Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
  • Cost – The CapEx and OpEx costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

Despite the current frustrations of WAF users, they also indicated specific improvements that should be made to their WAF to improve overall effectiveness and satisfaction. Two important requirements emerged.

  • 72% of respondents would like to see more intelligence and automation integrated into their WAF.
  • 74% would like to see WAF functions integrated with other application security functions into an AI-powered software platform.

The State of Web Application Firewalls report was completed in April 2019. Participating organizations span 16 vertical markets and the majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization.