Web Application Firewalls Are Worth The Investment

by Sohini Bagchi    Jun 20, 2014

application security

Today most cyber attacks take place at the web application layer. While companies are often advised to deploy next-generation firewalls and intrusion prevention systems, Web application firewalls (WAFs) are turning out to be a new area of growth for enterprises. Experts believe WAFs protect the enterprise’s custom web applications against Web attacks at a granular level and this is an area security leaders should get serious about in order to secure their enterprise from the persistent cyber security threats.

Regulation drives growth

A recent Frost & Sullivan report notes that the Asia-Pacific region is driving the demand for WAFs in recent times, owing to the growing reliance on Web applications coupled with vulnerability to persistent cyber-attacks. The overall market growth rate is expected to peak in the next two years as the proliferation of devices connected through various channels makes organizations easier targets for cyber attackers, says the report, which shows that WAF market earned revenues of $115.6 million in 2013 in the region and estimates this to reach $666.2 million in 2020 at a CAGR of 28.4 percent.

One of the key factors contributing to this market growth is the need to meet PCI DSS regulatory standards. “With the payment card industry data security standard now enforced in many countries, solutions such as WAF are considered a necessity for compliance,” said Frost & Sullivan ICT Research Manager Cathy Huang. He states that the WAF market has also been witnessing the integration of security functionalities, not only in  Asia Pacific, but globally, leading to greater adoption in the coming quarters.

Gartner too in a recent report recommends that security leaders assess the need for WAFs, based on the business impact of each Web application — public facing, partner facing or internal. Stating  that 75% of cyber attacks take place at the web application layer, Gartner said when intrusion prevention and firewalls are deployed, the WAF is most often the only technology that inspects encrypted and unencrypted inbound Web traffic, say Gartner researchers.

Currently,  key vendors dominating this market space are Cisco Systems, Citrix Systems, F5 Networks, Fortinet, Imperva, and Juniper Networks to name a few, besides a number of smaller specialized players. One such niche company is IndusGuard that guarantees zero WAF false positive and caters mainly to the BFSI sector.

With changes taking place so frequently on web applications, it is extremely difficult for security teams to stay ahead of them, whilst ensuring vulnerabilities are kept at bay. IndusGuard WAF offers an excellent line of defense for such applications and provides protection against a wide range of attack vectors”, said Ashish Tandon, Chairman & CEO, Indusface.

Hurdles in adoption

Despite a bright prospect, complexities in terms of WAF management may hold back some enterprises from investing in these solutions, notes the Frost &Sullivan report. Huang notes, this in turn will give an opportunity for managed security service providers to provide WAF-as-a-service, eating into the share of traditional WAF vendors.

Nevertheless, increased competition in this highly fragmented domain will drive the market forward, as more affordable and flexible products are made available especially for small and medium businesses. Many traditional security vendors too are now offering WAF solutions as add-ons to their existing security platforms.

“To avoid falling behind the competitive curve, vendors will design multi-faceted WAF solutions with capabilities extended to database security, distributed denial-of-service protection, anti-scrapping, and authentication,” Huang states.

Gartner too recommends that while security leaders should assess the need for WAFs, based on the business impact of each Web application — public facing, partner facing or internal, the technology should be deployed in combination with application security testing to get the desired value.

An integrated approach will lead to comprehensive, yet simple-to-manage, multi-layered security that can widen the consumer base in the WAF market, believe experts.