Magic Quadrant for Web Application Firewalls
Published: 19 July 2016 ID: G00290000 Analyst(s): Jeremy D'Hoinne, Adam Hils, Claudio Neiva
The WAF market is growing, with new use cases and security requirements ranging from "good enough" security for compliance to protection against targeted attacks. Enterprise security teams should evaluate how WAFs can provide high security that is also easy to consume and manage.
Strategic Planning Assumption:
By year-end 2020, more than 70% of public web applications protected by a web application firewall (WAF) will use WAFs delivered as a cloud service or internet-hosted virtual appliance — up from less than 25% today.
The WAF market is driven by a customer's need to protect internal and public web applications when they are deployed locally (on-premises) or remotely (hosted, cloud or as a service). WAFs protect web applications against a variety of attacks, including notably injection attacks and application layer denial of service (DoS). They should not only provide signature-based protection, but should also support positive security models.
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically it was the only way to perform some in-depth inspections. Today, other deployment modes exist, such as transparent proxy or network bridge. Some WAFs can also be positioned out of band (OOB, or mirror mode) and, therefore, work on a copy of the network traffic. Not every feature can work in all of these deployment choices, and reverse proxy is the most prevalent option for many organizations.
In the recent years, cloud-based WAF, delivered as a service, has become a valid option for a growing number of enterprises, beyond its initial target of midmarket organizations. Some vendors have chosen to leverage their existing WAF solution, repackaging it as a SaaS. This allows them to have a SaaS-delivered WAF available for their clients sooner, and they can leverage the existing features to differentiate from native cloud-based WAF. One of the difficulties with this approach is to simplify the management and monitoring console to meet client's
expectation. SaaS WAF, built to be multitenant and cloud-based from the beginning, could avoid costly maintenance of legacy code in the long term. It also could also provide a competitive advantage with faster release cycles and rapid implementation of innovative features. The main challenge for vendors offering a cloud WAF built separately is the absence of a unified management console to support hybrid scenarios.
When surveying clients about WAF adoption, Gartner observes occasional confusion with the application control feature (application awareness), present on network firewalls. The primary WAF benefit is protection for custom web applications' "self-inflicted" vulnerabilities in web application code developed by the enterprise. These vulnerabilities would otherwise go unprotected by other technologies that guard only against known exploits and protection for vulnerabilities in off-the-shelf web application software (see "Web Application Firewalls Are Worth the Investment for Enterprises" ). Most attacks on these corporate applications come from external attackers. Abuse of legitimate user credentials from infected workstations is another frequent threat vector.
This Magic Quadrant includes WAFs that are deployed in front of web applications and not integrated directly on web servers:
Purpose-built physical, virtual or software appliances
WAF modules embedded in application delivery controllers (ADCs; see "Magic Quadrant for Application Delivery Controllers" )
SaaS services or virtual appliances available on infrastructure as a service (IaaS) platforms
API gateway, bot management and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budget. This motivates WAF vendors to add relevant features from these adjacent markets when appropriate. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), database monitoring, or security information and event management (SIEM) — is a capability that supports a strong presence of WAF technology in the enterprise market. Consolidation of WAFs with other technologies, like ADCs or distributed DoS mitigation cloud services, brings its own benefits and challenges, but this market evaluation primarily focuses on the buyer's security needs when it comes to web application security. This notably includes how WAF technology:
Maximizes the detection and catch rate for known and unknown threats
Minimizes false alerts (false positives) and adapts to continually evolving web applications Ensures broader adoption through ease of use and minimal performance impact Automates incident response workflow to assist web application security analysts Protects public-facing, as well as internally used, Web applications
In particular, Gartner scrutinizes these features and innovations for their ability to improve Web application security beyond what a network firewall, intrusion prevention system (IPS) and open- source/free WAF (such as ModSecurity) would do by leveraging a rule set of generic signatures.
Vendor Strengths and Cautions:
Headquartered in Zurich, Switzerland, AdNovum, provides application development and security services. AdNovum's Nevis Security Suite includes WAF (nevisProxy), authentication and identity management. Nevis Security Suite was first shipped in 1997. The nevisProxy WAF is delivered as a software appliance. AdNovum provides a centralized management (nevisAdmin) and a reporting solution (nevisReports). Integration with SIEM is available for Splunk. The management console is available in English, French and German. There is no integration with fraud detection or database audit technologies.
In 2015, AdNovum focused its international development on Germany and has started to deliver WAF as a service for a few clients.
AdNovum is assessed as a Niche Player because of its limited presence on WAF shortlists outside of Switzerland. European and Asian enterprise buyers in need of a combined identity and access management (IAM) and WAF solution to protect custom applications should consider AdNovum on their competitive shortlists, but should first verify its local presence.
The Nevis Security Suite includes robust authentication and single sign-on (SSO) features, including support of the OATH standard. It also provides an adaptive authentication capability based on client fingerprinting, which can be used to balance intrusiveness with authentication requirements.
Gartner clients give high ratings for vendor support. They cite the flexible authentication approach and some key security features, such as URL encryption and cookie signing, as reasons to select nevisProxy.
AdNovum's WAF includes a variety of supporting features for mobile application security, such as JSON filtering and learning engine, and an adaptive authentication mechanism.
AdNovum can operate its WAF and deliver it as a service for its clients, with support for a remote hardware security module (HSM). Its centralized management (nevisAdmin) is available at no additional charge and is multitenancy-capable. The vendor offers free licensing for test servers and unlimited flat-rate agreements for very large deals.
AdNovum has proven experience with large organizations in Switzerland, including financial institutions.
AdNovum's WAF is mainly deployed as an integrated IAM solution of the Nevis Security Suite, selected for its web access management (WAM) features. Despite increasing efforts, growth of its WAF business is slower than the market average.
AdNovum does not appear on Gartner clients' shortlists for WAF outside of Switzerland. Its channel development is focused on Switzerland, Germany and Singapore. Prospective customers should verify the availability of local technical support and request references from peer organizations.
nevisProxy lacks a threat intelligence feed and has limited integration with third-party vulnerability scanners. Its integrated antivirus scanner to protect file-sharing applications (ClamAV) lags behind leading antivirus solutions.
Software, delivered as an ISO image, is the primary form factor for the Nevis Security Suite, which is not as convenient as hardware appliance or cloud service options. AdNovum delivers the software prepackaged on a server appliance, but has a limited number of clients choosing this option. It is not available on Amazon Web Services (AWS).
AdNovum has one of the smallest in-house-threat research teams. Protection against injection flaws highly depends on generic detections, and on ModSecurity open-source or commercial signatures.
Clients report that ease of configuration and quality of reporting need to improve in large-scale deployments. Surveyed clients report that initial configuration can be complex, but they cite recent improvements.
Headquartered in Cambridge, Massachusetts, Akamai (AKAM) is a content delivery network (CDN) provider. Its network and cloud security services, including its WAF (Kona Site Defender), are built on top of the Akamai Intelligent Platform, its global cloud infrastructure. Kona Site Defender has been available since 2009. Akamai also offers DNS security (Fast DNS), and a dedicated DDoS mitigation solution (Prolexic Routed), resulting from its acquisition of Prolexic Technologies in 2014.
Akamai's WAF is delivered as a service with a monthly fee, based on performance requirements and the number of protected web applications. Additional subscriptions are available to limit the extra costs in case of volumetric DDoS attacks (DDoS Fee Protection), reputation feeds (Client Reputation), bot management (Bot Manager), and to get assistance with web security rule updates and tuning (Rule Update Service). Akamai's WAF is available as a cloud service only, and the vendor provides a 24/7 security operations center (SOC) underpinning this service.
In 2015, Akamai introduced two lower-tier pricing plans based on estimated or historical usage to serve smaller customers and markets, as part of the vendor's ongoing efforts to better address smaller enterprises and the midmarket. Bot Manager, a new add-on subscription to Kona Site Defender, is now available for bot management. Akamai has also upgraded its Site Shield service by adding enhanced cloaking support to protect the IP address of the origin web server.
Akamai is evaluated as a Challenger because of its combination of multiple security engines in a cloud-based WAF and its strong presence on WAF shortlists for public-facing web applications. Kona Site Defender is a good choice for large public web applications, especially for existing Akamai customers.
The large scale of the Akamai cloud infrastructure appeals to large B2C organizations when considering a WAF deployment that would require a complex set of on-premises appliance clusters. Cloud placement also allows for more frequent feature updates that are immediately available to every Akamai client. Combining application and volumetric DDoS protection with a WAF is a differentiator, allowing for a "one stop" web server security platform.
Akamai has a strong presence on WAF shortlists. Clients highly rate the mature and robust infrastructure, Akamai's global coverage, intuitive dashboards and ease of initial deployment in monitoring mode.
The recently released bot management feature, while still unproven, provides visibility on both good and bad bot traffic, unlike many of the vendor's WAF competitors that focus more on bad bot mitigation.
Akamai leverages its cloud platform placement and large market share in the CDN market to gain visibility into a substantial share of internet traffic, continually improving its reputation feeds and statistical analysis.
Kona's management console is available in a variety of European and Asian languages, in addition to English.
Akamai's WAF is available as a cloud service only. It does not provide the on-premises appliance option that many of its competitors offer to protect internal applications, or to maintain SSL secrets on the client's corporate network.
Enterprises evaluating Kona Site Defender frequently cite its high price as a reason to select another WAF solution. Gartner rarely observes Kona being evaluated against the competition for WAF only. Most of Kona WAF sales come from existing Akamai clients expanding their existing contract, motivated by the easy addition of security features to existing Akamai services.
Kona lags behind the solutions of some other vendors evaluated in this research for the depth of its security inspection in JSON/XML payloads that are useful for mobile application use cases. Its protection against attacks on web application origin IP is limited to HTTP/HTTPS. In addition, there is limited integration with other security solutions.
At the time of this writing, Akamai lacks integration with on-premises SIEM solutions. Customers using Sumo Logic and Splunk will find integration for SIEM to be cloud-based only. Clients would like to see comprehensive support for WAF management through a Kona open
Kona also lacks integration with AST vulnerability scanners. This complicates the use of Kona as a virtual patching mechanism for custom applications. Kona also does not include an automatic policy learning engine, relying instead on its heuristic engine.
The Akamai-owned Prolexic DDoS service is viewed as a premium service overlapping with cloud DDoS protection service from Akamai. This can make deciding on a DDoS protection solution more difficult for enterprise clients with high-security requirements already using the Kona WAF.
Barracuda Networks (CUDA), based in Campbell, California, is best-known for its comprehensive portfolio of security solutions suited for small or midsize businesses (SMBs). This includes firewalls, data management, email and web security. Barracuda is also visible in a few enterprise markets, including the WAF market. The vendor delivers its Web Application Firewall line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and VMware vCloud Air platforms.
In the last few months, Barracuda released enhancements on crawler detection and SSL support. The vendor also released Barracuda Vulnerability Manager, a vulnerability scanner service, and a RESTful management API.
Barracuda Networks is assessed as a Challenger because it is considered for implementation in common application environments, where a low-cost solution is the primary requirement or when compliance requirements drive the WAF implementation.
Gartner SMB customers often include Barracuda in competitive WAF evaluations, and the vendor has high visibility in the European markets.
Barracuda has a very broad range of platform options, and is one of the only vendors visible on WAF shortlists for the Azure IaaS platform.
Barracuda gets good marks from users for vendor support, simple and transparent price structure, and low total cost of ownership. Customers also like its Instant Replacement subscription, which offers next-business-day product shipping in case of failures, and allows for a free upgrade every four years.
Barracuda's WAF combines embedded authentication features and integration with several third-party authentication solutions. Recent integration with Barracuda Vulnerability Manager provides a way to improve virtual patching automation.
The vendor offers broad language support in its management interface, including many European languages that other vendors don't provide. Mandarin, Cantonese, Japanese and Korean are also included.
Gartner clients give mixed feedback on Barracuda management interface's ease of use for daily tuning of WAF configuration.
Automatic policy learning lags behind the vendor's direct competitors and receives poor feedback from Gartner clients. The monitoring console does not aggregate multiple log alerts into security, involving more manual SOC analyst work.
Barracuda does not offer a cloud WAF. It does not offer nor integrate with cloud services to provide protection against volumetric DDoS.
Barracuda's hardware appliance range does not scale higher than 10 Gbps throughput. Its WAF is rarely considered on Gartner clients shortlists for complex or large-scale application environments.
Barracuda's WAF lags behind its leading competitors in security automation. The result of vulnerability scans must be imported manually.
Barracuda relies on a generic set of signatures to protect against injection attacks. Prospective WAF customers should perform a lengthy proof of concept to validate the quality of these generic signatures.
Citrix (CTXS), co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida, is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. Citrix has offered WAF functionality (NetScaler AppFirewall) for more than a decade either as a stand-alone software option or included in the Platinum Edition of the NetScaler ADC suite. The Citrix hardware appliance product line (NetScaler MPX) can also run a license-restricted version of the full NetScaler software to act as a stand-alone WAF. In addition, Citrix provides a line of virtual appliances (NetScaler VPX). NetScaler can also be bundled in Citrix Mobile Workspace offerings.
Citrix has recently released IP reputation for NetScaler AppFirewall and has improved software performance. In a recent update, the vendor added a security section (Security Insight) to its centralized management and reporting solution (NetScaler Management and Analytics System).
Citrix is assessed as a Challenger because AppFirewall, its WAF, is primarily an add-on sale to its ADC solution suite, and is easy to enable for existing clients, but it rarely competes in selections where WAF is the primary need. NetScaler AppFirewall is a good choice for organizations looking for an easy way to add WAF functionalities to their existing Citrix investment.
NetScaler's ability to scale appeals to large organizations. NetScaler SDX includes multitenant support that consolidates a high number of NetScaler instances on a single hardware appliance.
NetScaler AppFirewall provides mature features for web security, including security inspection for XML and JSON content. NetScaler can transparently add support for HTTP 2.0 to legacy applications. It also integrates a variety of application performance optimization features.
The recent addition of Security Insight to the NetScaler Insight Center adds a needed high-level security dashboard. NetScaler Management and Analytics System embeds real-time web application performance monitoring and a functional SSL certificate dashboard.
Clients give high ratings for ease of deployment for AppFirewall on the NetScaler platform, and high performance, especially when the traffic mix includes a high percentage of SSL/TLS traffic. NetScaler WAF can be bundled with SSL VPNs for remote access to internal applications.
Unlike many of its competitors that provide IP reputation as a paid subscription, NetScaler includes it at no additional charge.
NetScaler AppFirewall is a software module of the ADC product, and the vendor strategy has shifted to serve markets other than security. As such, roadmap execution is focused on avoiding big feature gaps, but typically lags behind the competition when it comes to innovations.
Citrix appears less often on Gartner clients' shortlists than its direct competitors. The trend in the last 12 months has been negative too, with decreased visibility for NetScaler AppFirewall on competitive WAF shortlists.
Gartner does not see Citrix's WAF displacing the competition based on its security capabilities, but rather sees it as an accompanying sale for ADC placements.
Citrix does not offer a cloud-based DDoS protection service or a cloud-based WAF. NetScaler can only provide antivirus analysis by forwarding files to third-party scanners.
Existing clients report frustration with the logging and reporting features. Search features are available, but the embedded log management function does not offer automatic aggregation of individual alerts into correlated events. Its management interface is only available in English.
Headquartered in San Francisco, CloudFlare delivers a suite of cloud-based CDN and security services. WAF services on the CloudFlare platform are bundled in CloudFlare's subscriptions, including the Business, Enterprise and Premier plans. Available features include WAF and protection against application and volumetric DDoS. CloudFlare is best-known for its free plan, which has been initially deployed by a majority of its users and has helped the vendor gain network visibility for its Enterprise and Premier subscription plans. CloudFlare also sells custom plans to enterprises through its channel and dedicated sales force. CloudFlare has been offering
a basic WAF since 2010, with an important upgrade in 2013. As a cloud service, it can be deployed only as an in-line reverse proxy. CloudFlare's management interface is available in English and Japanese. The vendor has one core offering to service all of its customers.
2015 enhancements include API delivery of WAF events, improved protection against zero-day threats and vulnerability updates for business-critical application platforms.
CloudFlare is assessed as a Challenger, because its WAF doesn't fully address complex enterprise deployment use cases, but already has market presence and is quickly gaining market share. CloudFlare is a good fit for budget-constrained organizations that need bundled WAF and DDoS capabilities for their public-facing web applications.
CloudFlare sees traffic across four million websites, providing it with useful information about threat trends that improve WAF intelligence.
Its free plan provides an opportunity for organizations to try a subset of security features before they buy.
CloudFlare WAF customers indicate that low cost for an integrated application delivery and security solution is the primary reason they select CloudFlare.
Customers express high levels of satisfaction with CloudFlare's ease of deployment, ease of use, flexibility and support expertise.
Despite its initial SMB focus, CloudFlare has an established a track record of being driven by a security-conscious culture, releasing features that more easily enable security for applications (such as Universal DNSSEC and One-Click SSL).
Clients indicate that their inability to write custom signatures for their environment lengthens time to protection when they discover a vulnerability.
The vendor has developed its own WAF engine, but still uses a combination of in-house and ModSecurity rules to protect against injection flaws and other threats.
Customer-cited areas for improvement include analytics, reporting and notifications. In addition, improvements in enterprise-scale support and more flexibility in WAF management are needed to make CloudFlare a good fit in demanding enterprise environments.
CloudFlare does not integrate with third-party or in-house application scanning technologies; thus, it complicates the use of the CloudFlare WAF as a virtual patching mechanism.
Several CloudFlare local outages were reported in the security industry press and by CloudFlare customers during 2015.
Based in Sevres, France, DenyAll is a web application security vendor, founded in 2001. Following the acquisition of French WAF vendor BeeWare in May 2014, DenyAll continues to offer two WAF product lines, in addition to a WAM solution. DenyAll WAF, based on the former BeeWare platform, is the primary offering. DenyAll rWeb continues to be updated with bug fixes and functional enhancements. DenyAll WAFs are predominantly installed on-premises. The WAF technology can be deployed as a physical or virtual appliance. DenyAll WAFs are available on AWS and Microsoft Azure. The vendor also provides a cloud-based WAF ("as a service"), called Cloud Protector, that is fully managed by DenyAll.
DenyAll mostly focuses on the French and European markets, where it primarily targets midsize and large enterprises in the financial, utility and government sectors. In 2015, DenyAll released a subscription IP reputation service and a new engine for user behavior scoring.
DenyAll is assessed as a Niche Player, because of its limited visibility on WAF shortlists outside of France and the impact of the BeeWare acquisition on its roadmap execution. European organizations, especially those looking for a local vendor, should consider adding DenyAll to their shortlists.
DenyAll's customers list high-quality support, ease of use and responsiveness to feature requests as reasons to select the vendor.
DenyAll's technology includes several advanced protection techniques, including JSON traffic analysis/protection, code leakage detection and a lightweight browser agent. Its user reputation scoring allows the DenyAll WAF to progressively adapt and apply security measures to suspicious transactions.
Users of the DenyAll WAF like the application policy and workflow visualization.
DenyAll has WAF products that work well within public cloud (AWS and Microsoft Azure) environments. Its Cloud Protector appeals to midmarket organizations and is currently hosted exclusively in European data centers.
DenyAll enables a correlation between its WAF and dynamic application security testing (DAST) to increase the accuracy of detection.
DenyAll mainly focuses on the French and European markets, which limits its visibility and adoption in other geographies. Through partners, it has expanded its reach into certain Middle Eastern, South American and Southeast Asian nations, and is looking to increase its U.S. presence.
Most of the positive comments on DenyAll's security benefits are made on the legacy rWeb product. The DenyAll WAF has yet to integrate many of the rWeb security engines.
Customers considering DenyAll are more likely to be offered a DenyAll WAF instead of rWeb. Prospects should not rely only on DenyAll's brand reputation, or on older evaluations or peer feedback, which might not apply to the new solution; instead, they should test the efficiency and feature availability of the solution accordingly.
DenyAll's organic growth is low compared with the Leaders, Challengers and even some Niche Players in this Magic Quadrant. Gartner estimates that the merger and maintenance of two software stacks has also impacted the roadmap execution in the last 12 months.
DenyAll's reporting and licensing complexities are areas that customers and partners say need improvement. Monitoring features are split between the Java application and the new web interface. Log management currently does not automatically aggregate similar alerts in a single security event, but has a filtering function that can be implemented by users to perform this operation manually.
DenyAll's WAF correlation process between WAF and DAST mainly focuses on WAF integration with its own DAST, but not DAST from other AST vendors. Therefore, the value of the integration depends on DenyAll's ability to continually improve its DAST product.
Swiss vendor Ergon Informatik, based in Zurich, Switzerland, has been shipping its WAF technology (Airlock WAF) since 2002. Airlock WAF can be deployed as a reverse proxy, and is available primarily as a software appliance, but the vendor also offers two models of hardware appliances. It is also delivered as a virtual appliance, and is available as an Amazon Machine Image (AMI).
In 2015, Ergon Informatik rebranded its product offering, creating the Airlock Suite, which includes WAF, IAM and the more basic authentication module, Airlock Login. The vendor recently released CSRF tokens, WebSockets support and a first version of application learning.
Ergon Informatik is assessed as a Niche Player mainly because most of its Airlock WAF wins are in Europe. The vendor is a viable shortlist candidate for organizations' WAF projects, especially large banking and insurance enterprises in Europe and the Middle East.
Ergon Informatik is the largest WAF provider of the three Swiss vendors evaluated in this Magic Quadrant, and has a more developed channel outside of Switzerland than its local competitors. Its customers give good scores for ease of use, software stability, interface intuitiveness, and professional presales and postsales support.
The vendor's approach to security for JSON and RESTful APIs is worth evaluating. In Airlock version 6, a first version of a feature called Dynamic Value Endorsement analyzes objects in transit and determines correct values and anomalies. In more complex use cases, application developers can also indicate acceptable values for input fields through a feature called Advanced Declarative Application Security.
The vendor leverages a tight integration with its authentication module to score the risk of a session hijack and the need to possibly require additional authentication steps.
Airlock includes extensive techniques for web application parameters, with URL encryption, various cookie protections (including a cookie store) and integrity checks for form parameters. It also includes a broad range of predefined templates for Microsoft applications.
Airlock's integration of a full IAM solution adds comprehensive authentication and SSO features. Airlock Login — its simplified version — provides a cost-effective alternative.
Airlock does not offer centralized management or WAF delivered as a cloud service. It lacks a threat intelligence feed and integration with DDoS protection cloud services.
The Airlock WAF management interface is available only in English. Ergon Informatik can only provide antivirus analysis by forwarding files to third-party scanners. Recently introduced learning mode capabilities are still a work in progress.
Airlock's clients report that the reporting and real-time monitoring could be improved. The monitoring dashboard lacks correlation of alerts into aggregated security events. The vendor- provided SIEM integration is limited to a Splunk app, but Ergon Informatik reports that its customers have integrated with other leading SIEM technologies.
Ergon Informatik's cautious expansion beyond the DACH region (Germany, Austria and Switzerland) may result in prospects having limited references from the rest of Europe and other regions, and more limited access to presales interactions.
Airlock's physical appliance portfolio is more limited than some of its direct competitors. Its software licensing model, based on the number of protected applications, can be complex when compared to more traditional appliance or subscription-only equivalents.
F5 (FFIV) is a large application infrastructure vendor based in Seattle, with a strong focus on ADCs. F5's WAF offering is a software module called Application Security Manager (ASM) for the F5 Big-IP ADC platform, often sold as a component of F5's Best bundle of services. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). Other F5 security modules include the Access Policy Manager (APM) module and WebSafe web fraud protection services. ASM is also available on the virtual edition of Big-IP.
In 2015, F5 released Silverline, which includes a managed WAF delivered as a cloud service, and a DDoS mitigation service, resulting from the acquisition of Defense.Net in 2014. The vendor has also added a bot mitigation feed to ASM, and updated its management interface.
F5 is assessed as a Challenger because of its strong market share, good set of WAF features and strong on-premises WAF offering. The vendor is a good shortlist candidate for all on-premises WAF use cases, especially for large organizations and existing F5 customers.
Surveyed customers list WAF integration with ADC and other F5 functions as the most prominent criterion for selecting F5 ASM. Many Gartner clients have reported that F5 ASM has been a differentiator in their ADC decisions, also frequently winning against many of the dedicated WAF solutions because of better overall value for the money.
F5 is the second most visible vendor on client shortlists for WAF. It has the most comprehensive security offering in the ADC market, including a remote access module and a large installed base of ASM deployments.
Large enterprise clients like the flexibility of iRules scripting. It integrates well with WhiteHat Security's AST solution.
The new F5 Silverline cloud WAF offers clients a way to maintain a hybrid implementation of WAF features, since the technology used to protect cloud and on-premises is exactly the same. This makes it easier to apply the same level of protection in both environments. Silverline can function in a tunnel mode, protecting more than web traffic, and can be bundled with Silverline DDoS mitigation.
As a leading ADC vendor with a large installed base of clients, F5 leverages the scalability of its ADC Big-IP platforms and the strength of its ADC sales as the entry point for add-on WAF licenses. This gives existing F5 clients an easy path to add WAF to their security portfolio.
Users report difficulty in initial configuration and performance issues when adding ASM on top of an existing Big-IP installation.
Although Silverline WAF utilizes the same technology as ASM, it must be used with F5's Managed Service. A web portal is limited to the reporting functions only, and configuration changes must be implemented through professional services. It is not yet visible on client shortlists for cloud WAF.
IP reputation is available on ASM, but F5 has a limited threat intelligence offering, notably lacking a community-based threat intelligence feed. The on-premises WAF lacks integration with a DDoS mitigation cloud service. ASM's management interface is available in English only.
Surveyed customers indicate that troubleshooting logs can sometimes be difficult within ASM. Limitations in the central logging mechanism and centralized management may present some challenges for broad F5 WAF deployments across an organization.
While F5's channel is extensive, it is predominantly focused on ADC features. Many surveyed value-added resellers (VARs) selling F5 also have pure-play WAFs in their portfolios. Prospective clients should check local channel skills in selling and implementing WAF, especially when considering a positive security model.
Fortinet (FTNT) is a significant network security and network infrastructure vendor, headquartered in Sunnyvale, California. It started as a unified threat management vendor in 2000. It later expanded its portfolio to include multiple security offerings, including a WAF (FortiWeb, released in 2008), an endpoint protection platform (FortiClient), an ADC (FortiADC) and a database protection platform (FortiDB). The vendor remains most well-known for its FortiGate firewall, which is its most dynamic product line.
FortiWeb provides multiple deployment options with a physical or virtual (FortiWeb-VM) appliance, and acts either as a reverse/transparent proxy or out-of-band. It is also available on AWS and Azure. FortiWeb subscriptions include IP reputation, antivirus, security signature updates and cloud-based sandboxing (FortiSandbox). FortiWeb's management interface is available in English, Chinese and Japanese.
In recent months, Fortinet refreshed its WAF product line with larger-scale appliances and HSM support. The vendor also added FortiWeb integration with FortiGate firewalls, FortiSandbox appliances and third-party vulnerability scanners. New features include a cloud-based sandbox, a first version of user behavior scoring (Threat Scoring), a CSRF token and its improved signature engine to better detect false positives in the SQL injection protection module.
Fortinet is assessed as a Challenger because of its increased investment in the WAF product line, and its ability to leverage its existing large customer base. The vendor's current customers, and organizations looking for good value for price, should include Fortinet's WAF in their competitive assessments.
Clients cite Fortinet's brand reputation, competitive prices and integration with other products from the vendor as reasons to purchase FortiWeb.
FortiWeb relies on a solid hardware product line with accelerated SSL decryption.
Clients purchasing FortiWeb frequently use its antivirus engine for malware inspection on file- sharing web services. Gartner expects the integration with sandboxing to further improve the relevance of FortiWeb for this use case.
The recent addition of HSM support, integration with a variety of third-party AST vendors and a 20 Gbps appliance improve the vendor's ability to support enterprise-scale deployments.
FortiWeb has a broad set of features, including IP reputation (supported by the large FortiGuard team), session risk scoring, cookie signing, SSL acceleration and web application caching.
Fortinet's WAF more rarely appears on WAF selection shortlists than its direct competitors, and is not yet visible on shortlists where security is the most weighted criteria. Most of the FortiWeb deployments observed by Gartner include a small number of protected applications.
Despite recent increased investment, FortiWeb is a secondary product for Fortinet compared to FortiGate, with only a narrow portion of the Fortinet channel actively selling its WAF. Gartner believes that local technical skills availability is still scarcer than those relating to network firewalls.
Clients report that deploying FortiWeb in nontrivial application environments might require a fair amount of fine-tuning to avoid false positives. They also would like to see improved reporting, SSO options and automatic policy learning.
The user interface allows fine-grained changes, but does not guide the WAF administrator.
Fortinet does not offer WAF as a cloud service. Additionally, it does not offer integration with DDoS cloud-based protection services.
Fortinet clients have three options to get WAF features from the vendor: a software module on the FortiGate firewall and on FortiADC, and the FortiWeb dedicated solution. Gartner gets occasional reports from clients about confusion on what they should select, because of contradictory messages from the channel on the capability of each option.
Imperva (IMPV) is an application and database security vendor based in Redwood Shores, California. SecureSphere is Imperva's WAF appliance, and Incapsula is its cloud-based WAF, delivered as a service. Imperva Skyfence is a cloud access security broker (CASB) for SaaS security. Imperva also has two packages for security monitoring and managed service of the SecureSphere and Incapsula WAFs.
Early on, Imperva positioned itself primarily as a transparent bridge deployment. The SecureSphere WAF is available as a physical or virtual appliance, and for AWS and Microsoft Azure. Two models of physical and virtual appliances are also available for dedicated management. In 2014, the acquisition of cloud WAF Incapsula expanded its market reach past its legacy Type A customers. Imperva Incapsula is the cloud-based, as-a-service WAF, and can also be bundled with other services, including DDoS mitigation and CDN features. ThreatRadar is the family of add-on subscription services available for SecureSphere, delineated into four offerings: reputation, anti-bot, anti-fraud and community defense.
Imperva has recently released its account takeover service, which includes a database of known stolen credentials; added support for SSL ciphers needed for PFS support; and enhanced its management API, to support DevOps use cases. It continues to expand its data center infrastructure to support the Incapsula and Skyfence offerings.
Imperva is assessed as a Leader because it continually wins based on security features and innovations, provides accurate threat intelligence, and resists price pressure from direct competitors. Imperva is a strong shortlist candidate for organizations of all sizes, especially those with high-security requirements or those looking for an easy-to-deploy, cloud-based WAF.
Gartner sees Imperva consistently scoring very high and/or winning competitive assessments done by Gartner clients, with a high success rate when security is the most weighted criteria.
Existing clients are also satisfied with the quality of Imperva solutions. When they put Imperva in competition at renewal time, it is frequently due to security budget shifts or architecture changes, and Imperva is also present on replacement shortlists.
Imperva is the most visible vendor on Gartner clients' shortlists. Surveyed resellers for other vendors also frequently sell Imperva's solutions. Clients cite advanced security, application policy learning and integration with Imperva database monitoring solutions as reasons to select SecureSphere.
Gartner clients with on-premises, large-scale, business-critical web applications frequently select Imperva for the flexibility of its management solutions. Clients using the Imperva "manager of manager" option is another sign of the vendor's presence in large deployments.
Imperva does well in thought leadership and analysis of web attacks trends. SecureSphere ThreatRadar feeds go beyond reputation only, and protect against multiple attack profiles. ThreatRadar community sharing can quickly mitigate new attack campaigns.
Like the on-premises SecureSphere, Incapsula continually scores high in Gartner client feedback versus other in-the-cloud WAFs. Incapsula integrates with a few SIEM solutions and can provide always-on origin IP protection using GRE tunneling.
Because SecureSphere lacks integrated load-balancing features, competition with ADC solutions, and especially F5, can be difficult when security requirements are not weighted enough to justify a large price difference. These customers do not want to pay the premium for a point security product, and are not yet ready to — or simply can't — transition to a cloud-based WAF.
The Imperva strategy shift to become a cloud security vendor is still a work in progress. Skyfence integration with other Imperva solutions is limited to threat intelligence feeds. Imperva does not provide a unified view for application security across WAFs and CASBs. The SecureSphere appliance product line is a secondary component of this cloud security vendor strategy, and has grown more slowly than other Imperva products. Prospective customers should ensure that Imperva's investment in SecureSphere's roadmap remains consistent with enterprise expectations of continuous improvement.
Imperva on-premises (SecureSphere) and cloud-based (Incapsula) are different products, and do not share the same capabilities or management console. Another example is that Incapsula does not integrate with Imperva's database security solution. Transitioning from SecureSphere to Incapsula requires similar efforts as switching to another brand.
Neither SecureSphere nor Incapsula provide in-line malware inspection that can be useful for file-sharing applications. Incapsula lags behind other vendors in advanced bot management features.
SecureSphere clients like the real-time aggregation of alerts, but consistently complain about the reporting. Most Imperva clients use a SIEM solution instead of native capabilities. Customers using both SecureSphere and Incapsula miss having a unified dashboard. Clients report growing frustration with the Imperva management console, which they find dated and not very intuitive in some situations. It has good coverage for Asian languages, but lacks the support for local European languages that some of its competitors offer.
Like many cloud WAFs, Incapsula has a variety of enterprise-class options that can inflate overall costs beyond what clients initially expected. Resellers' knowledge of Incapsula for large- scale deployments might be more limited, as many Imperva resellers have yet to add Incapsula to their portfolio.
NSFOCUS is a large network security vendor based in Beijing, China, providing IPS and DDoS protection solutions. NSFOCUS' WAF (WAF Series) offering was first released in 2007. It is delivered as a physical or virtual appliance, and can perform in reverse or transparent proxy mode, and support OOB deployment. NSFOCUS also offers centralized management (Enterprise Security Manager), delivered as software or available as a cloud service. The vendor provides managed services for its WAF. Its management interface is available in English, Japanese and Chinese. Adjacent to its WAF offering, NSFOCUS WebSafe is a web application security monitoring SaaS offering.
NSFOCUS has recently released version 6 of its WAF series, with support of the main hypervisors for its three virtual appliance images, XML/SOAP validation, RESTful API for management and web service protection.
NSFOCUS is evaluated as a Niche Player for the WAF market because most of its clients for its WAF product come from China only. NSFOCUS' WAF is a good shortlist candidate for the vendor's current customers, and for organizations in China and East Asia.
NSFOCUS is very visible in China, where it competes frequently with market leaders. Chinese clients offer strong praise for local support efficiency.
Customers indicate that NSFOCUS' WAF offers a competitive price and good in-production performance.
The WAF can redirect incoming Web traffic to NSFOCUS' anti-DDoS ADS devices located on a cloud infrastructure when congestion is detected, and then switch back to normal. NSFOCUS WebSafe provides complementary 24/7 web application monitoring against website defacement and malware hosting.
Clients give good marks to the protection against brute force login and the direct integration with NSFOCUS' AST solution.
The WAF has a good mix of local and global product certification, including ICSA Labs WAF certification.
NSFOCUS is not visible in competitive WAF evaluations outside of China and Japan. Its international channel's presence for WAF still lags behind the other vendors, which can limit the availability of local skilled resources for presales and postsales support.
NSFOCUS' WAF lags behind leading vendors in some features, such as web service security, SSL hardware support and role management. It is not available as a prepackaged image for AWS. Its recent WAF features' release pace was slower than many of its competitors.
The vendor does not offer cloud-based WAF.
NSFOCUS' WAF does not provide authentication features and does not integrate with third- party authentication software. Its log view provides search features, but does not aggregate related alerts in aggregated security events, and integration with leading SIEM vendors is limited to generic log format support.
Surveyed clients report that automatic policy learning and reporting, especially security reports and dashboards, need improvement.
Penta Security Systems
Penta Security Systems is based in Seoul, South Korea. Its product portfolio includes WAFs (Wapples), database encryption platform (D'Amo) and authentication/SSO (ISign+). Wapples was first released in 2005. It is available as a physical or virtual appliance (Wapples V-Series), and as a cloud service (Cloudbric). A centralized WAF management system (Wapples MS) and a free-to- use monitoring cloud-based web portal (Wapples Management Portal [WMP]) are also available. Penta Security emphasizes Wapples' "logic detection" technology, which does not require regular signature updates. Wapples' management interface is available in English, Korean and Japanese.
A few months ago, the vendor launched WAF as a service (Cloudbric) and signed partnerships with a few telecom providers to offer its WAF as a service. The vendor also recently added the ability to create custom reports.
Penta Security Systems is rated as a Niche Player because of its limited presence outside of its home market. The vendor is a good choice for midsize organizations and, in East Asia, for larger enterprises.
Customer feedback indicates that the technology is relatively straightforward to deploy and maintain. Penta Security gets good scores for its logic detection engine's ability to avoid false alerts.
Customers report that vendor support is good. The vendor is seen as a competitive threat by other WAF vendors in East Asia.
Wapples has a good set of local and global certifications, including ICSA Labs and Common Criteria EAL4 certification.
Cloudbric, Penta Security's cloud WAF, is free for up to 4GB of data per month.
Wapples security heavily depends on the robustness of its generic engine, with only a few complementary techniques available in case it fails to detect targeted attacks.
Wapples does not include authentication features and lacks threat intelligence feeds. Its ability to scan files for malware is limited.
Wapples does not integrate with third-party AST vendors, and integration with leading SIEM vendors is limited to generic log format support.
The vendor does not yet appear on Gartner clients' shortlists outside the Republic of Korea and Japan. Outside of these countries, advanced presales and postsales support for Wapples is scarce.
Its cloud-based WAF offering lags behind its direct competition in automated bot mitigation and volumetric DDoS protection.
Positive Technologies is co-headquartered in Moscow, London and Boston, and has shipped its WAF, called PT Application Firewall, since 2013. Positive Technologies shipped its first WAF central management platform and introduced clustering capability in 2014. The vendor also offers MaxPatrol, a vulnerability scanner that can look for general network and SAP vulnerabilities, and PT Application Inspector, which combines static, dynamic and interactive code analysis techniques. Positive Technologies' WAF product is currently available as a dedicated appliance, as a software version that can run on a third-party appliance and as a virtual machine that is predominantly installed on the enterprise's premises. It is not yet available on AWS or Microsoft Azure IaaS platforms. The management interface is available in English, Korean and Russian. PT Application Firewall is not available to secure workloads on public IaaS cloud platforms.
Positive Technologies currently mostly sells in the EMEA market. It remains one of the smallest vendors included in this evaluation, with a high percentage of its workforce still devoted to R&D. In recent months, the vendor has released a few upgrades to its version 3, adding rate limits for
DDoS protection, RESTful API for management, cookie signing and machine learning for XML content.
Positive Technologies is rated as a Visionary because of its execution on a security-driven roadmap. Organizations that are looking for high security first should consider adding Positive Technologies to their shortlists, but verify the level of local expertise on and support for the technology.
Positive Technologies' customers list unique machine learning technology, good discounts and ease of initial deployment as reasons to select PT Application Firewall.
Unlike many WAF offerings, PT Application Firewall does not primarily rely on a set of generic signatures to protect against injection flaws. It relies primarily on anomaly detection, with the machine learning engine automatically detecting deviations from normal behaviors from the live traffic.
Partners and customers give positive feedback for the vendor's presales and postsales technical support.
Since its launch, PT Application Firewall roadmap execution has been focused on providing high-security features. Its real-time dashboard is built to support incident response workflow, trying to highlight where every event fits in the attack kill chain.
The vendor enables correlation between its WAF and DAST/static application security testing (SAST) to increase the accuracy of detection and protection.
Despite aggressive sales and marketing development programs, Positive Technologies' WAF is a recently introduced product, with a more limited number of production clients than many of the WAF vendors evaluated in this research.
The vendor does not show up as a top competitor among surveyed vendors, and Gartner seldom sees PT Application Firewall on client shortlists. Prospective clients, especially in large- scale, complex application environments, should ask for several peer references and conduct a lengthy proof of concept before purchase.
Positive Technologies' WAF is available as on-premises only. It does not provide cloud as a service option, and lacks support or integration with DDoS cloud-based protection services. The vendor's WAF can inspect malware only through traffic redirection to a third-party solution.
Customers cite the management console and upgrade procedures as areas for improvement.
PT Application Firewall lacks any third-party certification, such as Common Criteria and ICSA Labs, or independent testing.
Radware (RDWR) is an application delivery and network security vendor co-headquartered in Tel Aviv, Israel and Mahwah, New Jersey. Its security products include a hybrid DDoS mitigation tool (DefensePro), a DDoS protection virtual appliance (DefenseFlow), a DDoS mitigation service (DefensePipe) and a WAF (AppWall), which can be purchased individually or bundled together in Radware's Attack Mitigation System (AMS) offering. Radware has been shipping the AppWall WAF since 2010. AppWall may be deployed as a physical or virtual appliance, and is also available as a fully managed cloud service (Cloud WAF Service). WAF integrated on Alteon ADC is available on AWS and Microsoft Azure. The vendor also provides a solution for centralized management, monitoring and reporting of its own products (APSolute Vision).
In recent months, Radware introduced its managed Cloud WAF Service, an activity tracking and device fingerprint feature on AppWall, along with Hewlett Packard Enterprise (HPE) WebInspect dynamic scanning integration (to enable automated virtual patching), and support for decrypting TLS 1.2 in AppWall Monitor. It has also exposed a first version of a RESTful API to manage the AppWall WAF.
Radware is assessed as a Niche Player because its WAF still predominantly serves its current customer base of midsize and large enterprises, and service providers. It is a good shortlist contender for most organizations, especially those already using Radware security products.
Among other deployment scenarios, AppWall can be deployed in transparent bridge mode while providing reverse proxy capabilities to specific traffic. Combined with automatic policy learning, this enables AppWall to be deployed easily, with no configuration changes to the network.
Surveyed Radware customers cite security, an automated positive security model and a good appliance price as primary reasons for selecting the vendor. The vendor's existing customer base of WAF users includes some very large-scale deployments.
Radware implements a combination of IP tracking and device fingerprinting to detect data exfiltration.
Radware's integrated management approach with APSolute Vision coordinates WAF management with DDoS management, providing the opportunity for effective mitigation against multivector attacks. Of all the vendors evaluated in this Magic Quadrant, Radware has one of the most mature visions on WAF and DDoS protection integration.
AppWall integration with third-party dynamic vulnerability scanners is currently available for HPE WebInspect only. It lacks integration with database monitoring solutions.
IaaS platform support and some features are only available on the Alteon ADC platform, but not on dedicated AppWall appliances, including some SSL/TLS decryption features, IPv6 and HTTP 2.0 support.
Users cite Radware's GUI and its limited connectivity with third-party threat feeds as weaknesses. AppWall can't inspect files for malware detection, but integrates with DLP solutions. AppWall's native management interface is available in English only.
While Radware has low visibility on Gartner clients' WAF shortlists, it has improved in recent months. It gets fewer mentions in Gartner client inquiries than several of its direct competitors. The recently introduced Cloud WAF Service rarely appears on competitive shortlists for cloud WAFs.
Trustwave has its headquarters in Chicago, and is best-known for its compliance and managed security services. Trustwave is a qualified security assessor (QSA) for PCI DSS. The vendor offers a comprehensive portfolio of network security solutions, including its WAF, secure web gateway, IPS, application security and SIEM offerings. The Trustwave WAF was first available in 2006 as a physical appliance (TX Series), and then in 2013 as a virtual appliance (VX Series) for VMware hypervisors. In 2015, Trustwave released a version that works within AWS. Trustwave also moderates the open-source ModSecurity WAF, and provides a commercial OEM signature package that is maintained by SpiderLabs, its threat research team.
In April 2015, Singtel announced its intention to acquire Trustwave and closed the transaction in September 2015. The vendor has recently released improvements in SSL acceleration support, centralized management and a variety of virtual appliances to support IaaS deployments.
Trustwave is assessed as a Niche Player because many of its WAF sales come from compliance projects in North America with basic security requirements, and it has lagged behind its competitors in roadmap execution and deployment to public cloud platforms. Trustwave is a good choice for organizations in North America that are seeking PCI compliance, and is a logical shortlist candidate for businesses seeking a managed WAF.
Trustwave's support of ModSecurity gives its large threat research team (SpiderLabs) access to feedback from its community, which is useful for improving the quality of its WAF — notably, the IP reputation subscription.
Trustwave's WAF provides a PCI-ready default configuration. Its well-crafted OOB deployment mode, with multiple types of blocking capabilities and the ability to decrypt SSL connections using a copy of the network traffic, appeals to its WAF clients.
With its recent release (v.7.5), Trustwave's WAF supports active/active high availability, adding a new option to scale an existing deployment up.
Clients report that they have confidence in the SpiderLabs team's expertise. Trustwave's WAF integrates well with other Trustwave solutions, including SIEM and the vulnerability scanner.
Surveyed customers report a high rate of false positives compared to competitors. They also indicated a lower level of satisfaction with the Trustwave WAF solution. Clients cite centralized management and the virtual patch management process as needing improvement.
Trustwave lags its competitors in several areas. In recent months, software update releases have been rare, with little addition of new features.
Trustwave does not offer a cloud-based WAF. Its WAF lacks authentication features and integration with third-party authentication solutions, and can't inspect files for malware detection. It does not integrate with DDoS protection cloud services for volumetric DDoS protection, but relies on an OEM partnership with Akamai to offer this service. Its management interface is available in English only.
Except for compliance projects in North America, Gartner continues to rarely see Trustwave on WAF shortlists.
Trustwave's WAF lacks recent third-party certification, such as Common Criteria or ICSA Labs. The latest evaluation for Common Criteria was in 2012.
United Security Providers
Based in Bern, Switzerland, United Security Providers offers network security products and managed security services. Its USP Secure Entry Server (SES) platform integrates a WAF, an authentication server and an XML gateway. The WAF is available primarily as physical, virtual or software appliance. The vendor offers a single physical appliance with preinstalled software. It can also be delivered as an AMI. The vendor also provides managed security service provider (MSSP) services for its WAF.
In 2015, United Security Providers launched SES version 5, a major platform upgrade that included a redesigned web user interface for configuration and log management, along with dedicated features for MSSPs. The vendor also released IP reputation in version 5.1, and announced an integration partnership with ArcSight and DDoS mitigation providers. The vendor also revamped its marketing program to promote WAF more aggressively, and expanded its nascent U.K. presence.
United Security Providers is assessed as a Niche Player because of its low visibility on shortlists outside of Switzerland. The vendor's WAF best serves organizations looking for an integrated WAM solution, combining security and authentication requirements.
Integration with the WAM solution offers a lot of flexibility for authentication and SSO, which can be factored into WAF security decisions. The vendor's clients mention good integration of WAF and the authentication platform as reasons to select United Security Providers.
United Security Providers has increased its marketing and roadmap efforts for its WAF product. WAF roadmap execution is good, and the vendor has also simplified licensing to make it easier to add security features on the top of the core platform.
United Security Providers' WAF includes advanced security features, such as URL encryption, protection against CSRF, cookie security and web client fingerprinting. It also supports JSON and WebSockets.
Customers provide positive feedback on the WAF's performance in production and on vendor support. They also noticed strong improvement in ease of use for single WAF device management with the latest version.
United Security Providers is one of the smallest vendors evaluated in this Magic Quadrant. Outside of Switzerland, it generally does not appear on Gartner clients' competitive shortlists for WAF.
The vendor's WAF can only provide antivirus analysis by forwarding files to third-party scanners. Its signature-based protections rely on a combination of ModSecurity and in-house rules.
Clients indicate that the centralized management solution is limited. The management interface is available in English only. The reporting solution provides limited correlations of individual log entries.
The vendor's WAF can't redirect traffic to a DDoS protection cloud, but includes integration with a few third-party DDoS protection vendors. It does not directly offer a cloud-based WAF, delivered as a service, but can package hosted virtual WAF appliances with in-house or partner managed security service.
The importance of WAF features in the recent roadmap did increase, but the vendor's marketing remains primarily focused on its integrated WAF and authentication approach.
Vendors Added and Dropped
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
CloudFlare has been added.
DBAPPSecurity did not meet this year's inclusion criteria.
Inclusion and Exclusion Criteria
WAF vendors that meet Gartner's market definition/description are considered for this Magic Quadrant under the following conditions:
Their offerings can protect applications running on different types of Web servers.
Their WAF technology is known to be approved by qualified security assessors as a solution for PCI DSS Requirement 6.6 (which covers Open Web Application Security Project [OWASP] Top 10 threats, in addition to others).
They provide physical, virtual or software appliances, or cloud instances.
Their WAFs were generally available as of 1 January 2015.
Their WAFs demonstrate features/scale relevant to enterprise-class organizations.
They have achieved $6 million in revenue from the sales of WAF technology.
Gartner has determined that they are significant players in the market due to market presence or technology innovation.
Gartner analysts assess that the vendor's WAF technology provides more than a repackaged ModSecurity engine and signatures.
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
The vendor has a host-based WAF, WAM, RASP or API security gateway (these are considered distinct markets).
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including: A10 Networks, Alert Logic, Amazon, Array Networks, Brocade, DB Networks, ditno., Indusface, Instart Logic, Kemp Technologies, ModSecurity, Nginx, Piolink, Qualys, Sangfor, Sucuri, SiteLock, Venustech, Verizon and Zenedge.
The adjacent markets focusing on web application security continue to be innovative. This includes the nascent RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, or take an alternative
approach to web application security. Examples include Armeron, Signal Sciences and Shape Security.
Ability to Execute
Product or Service: This includes the core WAF technology offered by the technology provider that competes in/serves the defined market. This also includes current product or service capabilities, quality, feature sets, and skills, whether offered natively or through OEM agreements/partnerships, as defined in the Market Definition/Description section. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continually deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company's ability to execute. Some key features, such as the ability to support complex deployments (including on- premises and cloud-based options) with real-time transaction demands, are weighted heavily. Product evaluation also considers adjacent security functions such as (but not limited to) DDoS protection services, fraud detection, anti-bot, threat intelligence feeds, CASB and AST, which might be bundled or integrated with WAFs. Integration with other markets is evaluated too, but only lightly.
Overall Viability: This includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue to invest in WAF, offer WAF products and advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: This is the technology provider's capabilities in all presales activities and the structure that supports them. It includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. It also includes deal size, as well as the use of the product or service in large enterprises with critical public web applications, such as banking applications or e-commerce. Low pricing will not guarantee high execution or client interest. Buyers want good results more than they want bargains. Buyers balance WAF security requirements and pricing, and don't consider best pricing only.
Market Responsiveness/Record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and security trends and customer needs evolve. A vendor's responsiveness to new or updated web application frameworks and standards, as well as its ability to adapt to market dynamics, changes (such as the relative importance of PCI compliance). This criterion also considers the provider's history of releases, but weights its responsiveness during the most recent product life cycle higher.
Marketing Execution: This is the clarity, quality, creativity and efficacy of programs that are designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification
with the product/brand and organization in buyers' minds. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities.
Customer Experience: This assesses the relationships, products and services/programs that enable clients to be successful with the products that are evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: This is the organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Table 1. Ability to Execute Evaluation Criteria
Product or Service
Source: Gartner (July 2016)
Completeness of Vision
Market Understanding: This is the technology provider's ability to understand buyers' wants and needs, and to translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance them with their added vision. They also determine when emerging use cases will greatly influence how the technology has to work.
Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: This is the strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates to extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. The ability to attract new customers in need of web application security only has a strong influence on this criterion.
Offering (Product) Strategy: This is the technology provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. As attacks change and become more targeted and complex, we highly weight vendors that move their WAFs beyond rule-based web protections that are limited to known attacks. For example:
Enabling a positive security model with automatic and efficient policy learning Using a weighted scoring mechanism based on a combination of techniques
Providing dedicated protection techniques on emerging web application use cases, such as mobile application front-end and DevOps environments
Countering evasion techniques actively
This criterion includes the evaluation of the depth of features, especially features that ease the management of the solution, and the integration with other solutions, including DDoS protection services and emerging technologies like CASB.
Business Model: This is the soundness and logic of a technology provider's underlying business proposition.
Vertical/Industry Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. This criterion is not rated this year.
Innovation: This is the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. It includes product innovation and quality differentiators, such as:
New methods for detecting Web attacks and avoiding false positives
A management interface, monitoring and reporting that contribute to easy web application setup and maintenance, better visibility, and faster incident response
Integration with companion security technologies, which improves overall security
Geographic Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography — either directly or through partners, channels and subsidiaries — as appropriate for those geographies and markets.
Table 2. Completeness of Vision Evaluation Criteria
Offering (Product) Strategy
Source: Gartner (July 2016)
The Leaders quadrant contains vendors that have the ability to shape the market by introducing additional capabilities in their offerings, raising awareness of the importance of those features and being the first to do so. They also meet the enterprise requirements for the different use cases of web application security.
We expect Leaders to have strong market share and steady growth, but these alone are not sufficient. Key capabilities for Leaders in the WAF market are to ensure higher security and smooth integration in the web application environment. They also include advanced web application behavior learning; a superior ability to block common threats (such as SQLi, XSS and CSRF), protect custom Web applications and avoid evasion techniques; and strong deployment,
management, real-time monitoring and extensive reporting. In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements and evolution in Web applications that will require paradigm changes.
Challengers in this market are vendors that have achieved a sound customer base, but they are not leading on security features. Many Challengers leverage existing clients from other markets to sell their WAF technology, rather than competing with products to win deals. A Challenger may also be well-positioned and have good market share in a specific segment of the WAF market, but does not address (and may not be interested in addressing) the entire market.
The Visionaries quadrant is composed of vendors that have provided key innovative elements to answer web application security concerns. They devote more resources on security features that help protecting critical business applications against targeted attacks. However, they lack the capability to influence a large portion of the market, they haven't expanded their sales and support capabilities on a global basis, or they lack the funding to execute with the same capabilities as vendors in the Leaders and Challengers quadrants. Visionaries also have a smaller presence in the WAF market, as measured by installed base, revenue size or growth, or by smaller overall company size or long-term viability.
The Niche Players quadrant is composed primarily of smaller vendors that provide WAF technology that is a good match for specific WAF use cases (such as PCI compliance), or those that have a limited geographic reach. The WAF market includes several European and Asian vendors that serve clients in their regions well with local support and an ability to quickly adapt their roadmaps to specific needs; however, they do not sell outside their home countries or regions. Many Niche Players, even when making large products, offer features that would suit only SMB and smaller enterprises' needs.
Niche Players may also have a small installed base or be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investments or capabilities, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on a vendor's value in the more narrowly focused service spectrum.
Gartner generally recommends that client organizations consider products from vendors in every quadrant of this Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the WAF market, which includes a large number of relatively small vendors, or larger vendors, but with a small share of their revenue coming from their WAF
offerings. Product selection decisions should be driven by organization-specific requirements in areas such as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposures of business-critical and custom Web applications, and the vendor's local support and market understanding.
Security managers who are considering WAF deployments should first define their deployment constraints, especially:
Their tolerance for a full in-line reverse proxy with blocking capabilities in front of the web applications
The benefits and constraints of the different WAF delivery options: dedicated appliances, CDNs, ADCs and cloud services
SSL decryption/re-encryption and other scalability requirements
For more information on WAF technology selection and deployment challenges, see "Web Application Firewalls Are Worth the Investment for Enterprises."
Gartner estimates that the WAF market totaled about $516 million in 2015, representing a growth of 21% compared to a slightly revised 2014 estimate, due to improved visibility of Asian vendors. The Americas represent 45% of the total market, EMEA accounts for 26% of the market, and the Asia/Pacific region accounts for 29%. In 2015, Gartner has observed three big trends on the WAF market:
Goodaveragegrowthhidesamorecomplexmarketsituation:Gartnerestimatesthat physical appliance sales, and WAF sales from ADC vendors, has grown slower than average, whereas cloud-based WAF sales grow much faster, but from a smaller base.
MobileapplicationsecurityandbotmanagementarerisingasnewcoreusecasesforWAF platforms, driving WAF vendors' roadmaps toward API security features and inclusion of reputation feeds.
Littleinnovationhasoccurredduringthelast12months,withmostvendorsfocusingon supporting new web standards or expanding to new use cases.
Appliance-based WAF adoption continue to grow, with renewals, upgrades and new clients, but at a much slower pace than their SaaS counterparts. Appliance-based WAFs often have a larger palette of security features; can address multiple use cases with a mix of public-facing, partner- facing and internal applications; and can be integrated with WAFs, or on ADC platforms for better value. The complexity of large-scale deployment is a competitive disadvantage against cloud services, but better customization capabilities and unique security features give appliances an advantage over SaaS WAF in many client evaluations.
The potential for future growth is still there with new promising use cases like mobile application security and the nascent Internet of Things markets. Industry reports, such as Verizon Data Breach Investigations Reports, continue to highlight web applications as a growing attack pattern leading to a data breach (up to 82% in the finance sector), 1 increasing general awareness of web application security risks in the market.Downward trends for WAF adoption include budget priority given to other more visible budgets, such as malware prevention, complexity of the effective deployment and monitoring of WAF technology, and fragmentation of the value proposition in the web application security market. Security managers continue to face too many point solutions to choose from to address web application security issues (AST, CASB for SaaS security, DDoS protection, WAM, online fraud detection, database security and RASP). RASP specifically aims at becoming an application-centric alternative to WAF, and more vendors entered this market during 2015 and the first half of 2016. Gartner expects RASP providers to more heavily target and compete with traditional WAF provider technologies as they continue to grapple with budget preferences for WAF technology.
Enterprises Need a Next-Generation WAF, but the Vendors Are Missing
With a growing number of WAF upgrades, the selection process includes more stringent requirements, as a result of the experience gained from previous WAF projects. Enterprises need next-generation web application security. WAF products are not there yet. For some vendors, the challenge will be unsurmountable. Many WAF vendors struggle to catch up with new web standards. Few innovations have been released during the last 12 months, partly because of long software release cycles of every 18 to 24 months. One example of slowing innovation is the introduction of IP reputation feeds, positioned by vendors as an innovation, whereas IP reputation has been available for a long time on other security platforms (firewall, IPS, secure web gateway [SWG] and SIEM). Many vendors maintain their investment in WAF technology at a good-enough level to follow the evolution of the web standard but, with time, move closer to "good enough only," making it harder to win against platforms integrating a WAF as one of many features. Average WAF technology is more likely to quickly lose market share against emerging cloud WAF services and innovative web application security startups. Shared threat intelligence is rarely available for WAFs, even if cloud WAF efforts to gather attack data from their existing customers are slightly more mature.
A few SaaS WAF vendors have released bot management features, in addition to the existing DDoS mitigation and CDN modules that are more frequently available. Bot mitigation is a growing concern, especially for large B2C web applications, but WAF vendors face the competition of specialized startups.
Gartner clients also often complain about WAF reporting for security analysts, and the limited automation available to remediate attacks or fix false positives. Reliance on positive security models (whitelists or policies derived from automatic web application behavior learning engines) in prevention mode and automatic deployment of virtual patches are rare, and are signs of security teams' aversion to any risk of incident that could disrupt business applications. These
perceived limitations profit the vendors of some MSSP offerings, which increasingly convince organizations to subscribe to their managed WAF service. Protection of internal applications remains a secondary concern, handled by security technologies other than WAF for many organizations. Even when a WAF is deployed in front of internal applications or between public- facing web applications and privileged users, WAF technology rarely offers sufficient user behavior monitoring to detect legitimate credential abuse or data exfiltration.
The Future of WAF Is Brighter in the Cloud
Cloud WAF service is the fastest-growing segment of the WAF market. Many vendors add SaaS services to their portfolio with mixed results in quality and ease of use. Simplicity and fast provisioning are key advantages for cloud WAF services, while customization is not. Some vendors win deals by talking about their ability to share threat data in real time, and quickly fix potential false positives or update policies using heavy automation based on machine learning results. However, vendor claims of machine learning and threat intelligence can be over optimistic when evaluated against real production traffic.
Still, the promise of more automated and risk-based defense layers appeals to enterprise security buyers, expanding cloud WAF beyond its initial midmarket fit. Privacy concerns will continue to slow down adoption in some regions and some vertical accounts, but Gartner does not observe that to the point where privacy would be a strong inhibitor for the entire market. Many SaaS WAF offerings continue to lag behind in many enterprise-appropriate features, such as heavy policy customization, integration with SIEM systems for monitoring and identity awareness with IAM solutions.
Because applications continue to move to private and public cloud infrastructure, adopting a cloud-based WAF becomes a more natural choice. SaaS WAF services grow faster than virtual appliances for new applications, especially applications developed following agile principles, such as DevOps and short release cycles. Virtual appliances are more frequent in more traditional approaches trying to reproduce on-premises data centers in a virtualized private cloud. The need for managing hybrid scenarios (on-premises and hosted applications), starting with a unified monitoring console, exists, but has not yet been adequately addressed by providers in the WAF marketplace. Organizations developing new applications in the cloud do so frequently as part of autonomous projects, and different dashboards are often accepted as a compromise. Still, enterprises considering SaaS WAF frequently request integration with their existing SIEM solutions. A few vendors start to offer managed services along with their WAF offering, triggering limited client interest so far for on-premises WAFs, because it competes with the use of a global MSSP and existing MSSP offerings, including a WAF product. Longer term, it could attract more enterprise clients, especially for SaaS WAF deployment, as web application security skills remain scarce and difficult to hire. Providing the ability to sell the service and the security monitoring in a single bundle, even if expensive, can help in building a business case for WAFs.
While increased usage of SaaS applications could be a threat for appliance-based WAFs, SaaS WAF services and WAF providers with comprehensive authentication features could be, in theory, well-positioned to compete against the CASB concept.
1 Verizon 2016 Data Breach Investigations Report, (http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/) Figure 22.
Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet
the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.
© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services (/technology/about/policies/usage_guidelines.jsp) posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Gartner provides information technology research and advisory services to a wide range of technology consumers, manufacturers and sellers, and may have client relationships with, and derive revenues from, companies discussed herein. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity. (/technology/about/ombudsman/omb_guide2.jsp)"
Policies (http://www.gartner.com/technology/about/policies/guidelines_ov.jsp) Privacy (http://www.gartner.com/privacy)
Site Index (http://www.gartner.com/technology/site-index.jsp)
IT Glossary (http://www.gartner.com/it-glossary/)
Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)