Skip navigation
Wall with Three Holes.png

Web Application Firewalls Aren’t Doing the Job, Survey Finds

Security, administration and cost issues mitigate the effectiveness of web application firewalls.

A new survey finds that less than half of organizations are satisfied with their web application firewall--citing security, administration and cost issues--despite the fact that they are considered a necessary or critical part of the security infrastructure.

The survey, performed by Ponemon Institute and sponsored by Cequence Security, found that organizations typically use web application firewalls (WAFs) to protect web applications, mobile applications and API services, along with the data they produce and use. Users reported that the most important WAF feature is HTTP and HTTPS protocol enforcement, followed by the ability to scan uploaded documents for malware before they reach the web application and virtual patching.

Organizations report differences in how well WAFs protect these assets and perform those tasks. Users report that WAFs are most effective at app DDoS protection and DNS security, while they were somewhat less effective at app vulnerability protection, anomaly detection and signature-based support. But, in general, users seem to be fairly unsatisfied with the current state of WAFs. The report found that 86% of respondents experienced application layer attacks that bypassed their WAF in the last 12 months. Less than half expect that their WAF will stop all application layer vulnerabilities, including vulnerabilities without a known signature.

That’s probably why only 43% rely on WAFs to generate alerts, while 35% use them for detection and blocking, and only 22% use them for both functions. In large part, that’s because WAFs require a fair amount of administrative overhead, said Larry Ponemon, chairman and founder of Ponemon Institute. They need to be customized to the app they are protecting, which can mean delays when new apps are introduced or updated. For protection, they use signatures to find known threats. Oftentimes, the signatures will introduce false positives that are addressed through exceptions. In some ways, that eliminates the purpose of a WAF.

"The administrative overhead that WAFs require can be daunting for many organizations--as we learned from the research, these organizations are spending some 45 hours a week managing their WAFs, plus another 16 hours each week creating new rules for their WAF,” Ponemon said. “This is a huge commitment to operational overhead, and most organizations are looking to reduce it."

Organizations have had more success in protecting mobile applications. Fifty-four percent said WAFs are very effective in protecting mobile apps, while 38% said WAFs are very effective in protecting API services.

To better protect mobile APIs, WAFs need to be able to analyze API traffic between mobile apps and internal servers. But instead of using WAF signatures to apply security, the application traffic needs to be analyzed more in terms of the underlying behavior and intent of the application transaction, explained Matt Keil, a director at Cequence Security. That is beyond the capability of traditional WAFs, he said, but could be improved by a WAF that incorporated artificial intelligence, which can provide that deeper analysis.

Other findings included dissatisfaction with the complexity and time required to manage WAFs, along with cost. When asked what features they would want in a WAF, they voted strongly for a simplified security architecture, integration with other security functions, and more intelligence and automation.

Intelligence and automation in the form of AI is one of the best ways to improve the effectiveness of WAFs, Keil agreed. AI can simplify application deployment by eliminating the need to create a WAF app profile. The AI “learns” about the app and helps distinguish between malicious and legitimate transactions, allowing the user to take action as needed without using a signature.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.