Magic Quadrant for Web Application Firewalls
15 July 2015 ID:G00271692
Analyst(s): Jeremy D'Hoinne, Adam Hils, Greg Young
VIEW SUMMARY
The WAF market is growing quickly, with a range of deployments from "good enough" to more complex WAF deployments aiming at high security. Enterprise security teams should evaluate how WAFs can provide improved security, require tolerable staff involvement and integrate in their security ecosystem.
Market Definition/Description
This document was revised on 3 August 2015. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
The WAF market is driven by a customer's need to protect internal and public Web applications when they are deployed locally (on-premises) or remotely (hosted, cloud or as a service). WAFs are deployed in front of Web servers to protect Web applications against external and internal attacks, to monitor access to Web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically it was the only way to perform some in-depth inspections. Nowadays, other deployment modes exist, such as transparent proxy, bridge mode, or the WAF being positioned out of band (OOB or mirror mode) and, therefore, working on a copy of the network traffic.
The primary WAF benefit is providing protection for custom Web applications' "self-inflicted" vulnerabilities in Web application code developed by the enterprise. These vulnerabilities would otherwise go unprotected by other technologies that guard only against known exploits and prevent vulnerabilities in off-the-shelf Web application software (see "Web Application Firewalls Are Worth the Investment for Enterprises").
Secondarily, WAFs also integrate with other application and network security technology, such as application security testing (AST), distributed denial of service (DDoS) protection appliances, Web fraud detection and database security solutions. In addition, WAFs sometimes include performance acceleration, including content caching, and might be packaged with Web access management (WAM) modules to include authentication features — notably to provide single sign-on (SSO) for legacy or distributed Web applications.
To be considered for this Magic Quadrant, vendors must actively sell and market WAF technology to end-user organizations. The technology should include protection techniques that have been designed for Web security, beyond signatures that can be found in next-generation firewalls and IPSs. WAF products should support single and multiple Web server deployments. This Magic Quadrant includes WAFs that are deployed in front of Web applications and are not integrated directly on Web servers. This includes:
- Purpose-built physical, virtual or software appliances
- WAF modules embedded in application delivery controllers (ADCs; see "Magic Quadrant for Application Delivery Controllers")
- Cloud services or virtual appliances available on infrastructure as a service (IaaS) platforms
The ability of WAFs to integrate with other enterprise security technologies — such as application security testing, database monitoring, or security information and event management (SIEM) — is often one of the indicators that reflects a strong presence in the enterprise market. Consolidation of WAFs with other technologies, like ADCs or anti-DDoS cloud services, brings its own benefits and challenges, but this market evaluation primarily focuses on the buyer's security needs when it comes to application security. This notably includes how WAF technology:
- Maximizes the detection and catch rate for known and unknown threats
- Minimizes false alerts (false positives) and adapts to continually evolving Web applications
- Ensures broader adoption through ease of use and minimal performance impact
In particular, Gartner scrutinizes these features and innovations for their ability to improve Web application security beyond what a next-generation firewall, IPS and open-source WAF (such as ModSecurity and IronBee) would do.
Magic Quadrant
Source: Gartner (July 2015)
Vendor Strengths and Cautions
AdNovum
AdNovum, based in Zurich, Switzerland, provides application development and security services. AdNovum's Nevis Security and Compliance Suite includes WAF (nevisProxy), authentication, identity management and document signing, and was first shipped in 1997. The nevisProxy WAF is delivered as a software appliance. AdNovum provides a reporting solution for its Nevis Suite, including the WAF, based on the Elastic Search, Logstash and Kibana (ELK) stack, and integration with SIEM is available for Splunk. No integration with third-party vulnerability scanner, fraud detection or database audit technologies is available.
AdNovum is assessed as a Niche Player because it operates in a limited number of countries, has a stronger focus on WAM use cases and is not frequently cited on WAF shortlists. European enterprise buyers in need of a combined WAM and WAF solution to protect custom applications should consider AdNovum on their competitive shortlists, but should first verify its local presence.
Strengths
- The Nevis Suite includes robust authentication and SSO features. Its centralized management (nevisAdmin) is available at no additional charge and is multitenancy-capable.
- AdNovum has proven experience with large organizations in Switzerland, including financial institutions. It provides free licensing for test servers and unlimited flat-rate agreements for very large deals.
- Surveyed clients like the automatic policy learning module and the advanced security features, like URL encryption, CSRF token injection and form signature.
Cautions
- AdNovum's vision of WAF is as an integrated component, serving more than application security needs, with a stronger focus on WAM features. This limits the efforts devoted to the WAF roadmap and could impact the future ability to defend against advanced threats.
- AdNovum does not appear on Gartner clients' shortlists for WAF outside of Switzerland. The maturity of its channel program lags behind other vendors. Prospective customers should verify the availability of local technical support and request references from peer organizations.
- AdNovum lacks a standard hardware appliance offering that many of its competitors provide. A hardware appliance can, however, be provided by the vendor upon request. Clients report that initial configuration can be complex, but they cite recent improvements.
- Protections against SQL injection and cross-site scripting (XSS) are focused primarily on ModSecurity open-source or commercial signatures, with no complementary threat research or reputation/threat intelligence feeds. Surveyed clients report that fine-tuning of the default signature set is necessary to avoid frequent false positives.
Akamai
Akamai (AKAM) is based in Cambridge, Massachusetts, and provides a leading content delivery network (CDN). Its network and cloud security services, including its WAF (Kona Site Defender), are built on top of the Akamai Intelligent Platform, its global cloud infrastructure. The Kona Site Defender has been available since 2009. Akamai's management and monitoring consoles (Luna Control Center and Security Monitor) are also delivered as Web portals.
Akamai's WAF is delivered as a service with a monthly fee, based on performance requirements and the number of protected Web applications. Additional subscriptions are available to limit the extra costs in case of volumetric DDoS attacks (DDoS Fee Protection), and to get assistance with Web security rule updates and tuning (Rule Update Service). Akamai also provides tools to help its clients with compliance requirements. Akamai's WAF is available as a cloud service only, primarily used to protect public-facing Web applications.
In 2014, Akamai completed the acquisition of DDoS protection service Prolexic Technologies, and released a new IP reputation feed called Client Reputation as a paid option. The vendor has also recently made available a managed service offering (Managed Kona Site Defender Service).
Akamai is evaluated as a Challenger because of its strong presence on WAF shortlists for public-facing Web applications. The Kona Site Defender is a good choice for large-scale Web applications with simple WAF deployment requirements and for existing Akamai customers as an extension to deployed Akamai solutions.
Strengths
- Combining application and volumetric DDoS protection with a Web application firewall is a differentiator, allowing for a "one-stop" Web server security platform.
- Kona Site Defender is well-suited for use cases where detection and alerting are the priorities. Akamai leverages its visibility into a substantial share of Internet traffic, with multiple steps for anomaly detection that feed a scoring mechanism, including IP reputation scoring.
- Akamai has a growing presence on WAF shortlists. Clients cite ease of deployment, low maintenance workload and performance as reasons to select the vendor's WAF.
- Akamai has increased its security credibility recently through continued visibility and threat research into high-profile Web-based attacks.
Cautions
- Akamai's WAF is available as a cloud service only. It does not provide the on-premises appliance option that many of its competitors offer to protect internal applications, or to maintain Secure Sockets Layer (SSL) secrets on the clients' corporate network.
- Although all cloud-based WAFs are less configurable and have less behavioral detection, Gartner clients consistently rate Kona as having the least capability. They also cite the high price, compared to other cloud WAFs, as a major reason to discard Akamai during evaluation.
- Akamai lacks lower-price WAF subscriptions to reach smaller enterprises and midsize organizations, which is a conflict given that both small and midsize businesses (SMBs) have a greater preference for cloud-based WAFs than do large enterprises.
- Kona Site Defender security still relies primarily on signatures and reputation scoring. It is, in general, less suited to use cases primarily requiring blocking or active response. It lags behind competitors in other capabilities, such as an automatic learning engine and the degree of custom configuration of Web application behavior.
- The Akamai-owned Prolexic DDoS service is viewed as a premium service overlapping with cloud DDoS protection service from Akamai. This can make deciding on a DDoS protection solution more difficult for enterprise clients with high-security requirements already using Kona WAF.
Barracuda Networks
Based in Campbell, California, Barracuda Networks (CUDA) offers a wide variety of information security products that are largely targeted at SMBs. Barracuda delivers its Web Application Firewall line in three primary form factors: 10 appliance models (five core models, each available in two versions) with up to 4 Gbps of throughput; a virtual appliance; and a cloud-based service that can be deployed on the Microsoft Azure, Amazon Web Services (AWS) and VMware vCloud Air platforms.
During the last few months, Barracuda released support for JavaScript Object Notation (JSON) inspection, URL encryption, SAML 2.0 and an updated management console for its WAF line.
Barracuda Networks is evaluated as a Challenger because of its ability to win WAF deals based on cost-effective prices and good-enough security. Resource-strapped security teams, and SMB buyers that require a cost-effective solution and attentive vendor support, should consider this product.
Strengths
- Barracuda has a very broad range of platform options, and is one of the only vendors to offer a WAF on the Azure and vCloud Air platforms. Having an XML firewall on the same platform is likely of interest to SMBs (which are more likely to combine Web and application servers).
- Barracuda's WAF provides strong IP reputation, cookie protection and client fingerprinting capabilities. It also combines embedded authentication features and integration with several third-party authentication solutions.
- Barracuda customers rate its geographically distributed support capabilities quite highly. Clients also like the availability of a free evaluation unit and the Instant Replacement Service program that facilitate the upgrade of WAF appliances after four years.
- The vendor offers a wide range of foreign language support in its management interface, including many European languages that others local vendors don't provide, but also Mandarin, Cantonese, Japanese and Korean.
Cautions
- Gartner observes a consistent critique that the management interface is challenging to use. we have yet to receive client feedback on the updated management console introduced with WAF v.7.9.
- Barracuda's WAF lags behind its leading competitors in security automation. The result of vulnerability scans must be imported manually. Automatic learning capabilities are disabled by default and need to be re-enabled after an application change.
- Gartner has observed very few mentions of the Barracuda WAF on Gartner enterprise client shortlists, but it is frequently cited as the legacy WAF in WAF upgrade selections.
- There is currently no 5 Gbps or 10 Gbps models to support enterprise use cases.
Citrix
With headquarters in Santa Clara, California, and Fort Lauderdale, Florida, Citrix (CTXS) is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. Citrix has offered WAF functionality (NetScaler AppFirewall) for more than a decade as a software option, or included in the Platinum Edition of the NetScaler Application Delivery Controller (ADC) suite. The Citrix hardware appliance product line (NetScaler MPX) can also run a license-restricted version of the full NetScaler software to act as a stand-alone WAF. In addition, Citrix provides a line of virtual appliances (NetScaler VPX). The NetScaler SDX platform allows several instances of Citrix solutions, including ADC and NetScaler AppFirewall software in a single hardware appliance. NetScaler can also be bundled in Citrix Mobile Workspace offerings.
In 2014, Citrix released several new NetScaler platforms (MPX 5650, MPX 8005, MPX 11515, MPX 11520 and MPX 11540) with improved performance. Some of these included a new streaming support feature, released to enhance performance.
Citrix is assessed as a Challenger because it mainly serves its current customers looking for good-enough WAF capability and has relatively low visibility in WAF selection based on security. NetScaler AppFirewall is a good choice for organizations looking for an easy way to add WAF functionalities to their existing Citrix infrastructures.
Strengths
- NetScaler AppFirewall includes mature features for Web security, and can be bundled with SSL VPNs for remote access to internal applications.
- NetScaler's ability to scale appeals to large organizations, especially when massive SSL offloading is required.
- Citrix has started investing more heavily in go-to-market activities, which should enhance an already capable and extensive network of channel partners. Gartner expects Citrix's WAF to become much more visible to a wider range of Gartner clients.
- The vendor offers an extensive range of hardware (MPX/SDX) and virtual (VPX) appliances, and continues to invest, with five new MPX appliances released in 2014.
Cautions
- Like most ADC vendors, Citrix primarily targets enterprise clients with ADC solutions and does not focus its efforts on pure-play security use cases. However, the new MPX releases indicate a potential shift in focus to encompass pure-play security use cases.
- Citrix appears less often on Gartner clients' shortlists than its direct competitors. In a survey of WAF vendors, Citrix is not one of the most-listed competitive threats.
- Despite an adaptive discount strategy, cost is often cited as a reason for midsize organizations to select another WAF vendor, if the target organization is not already using Citrix.
- The vendor does not offer or collaborate with cloud-based DDoS protection services.
- Gartner does not see Citrix's WAF displacing the competition based on its security capabilities, but rather sees it as an accompanying sale for ADC placements.
DBAPPSecurity
DBAPPSecurity, headquartered in Hangzhou, China, is a vendor of Web application and database security solutions. Its product offering includes a WAF (DAS-WAF) that was first released in 2007. DBAPPSecurity also provides Web application and database vulnerability scanners (DAS-WebScan and DAS-DBScan), along with a database audit platform (DAS-DBAuditor).
In 2014, DBAPPSecurity refreshed its hardware appliance product line with four new models and also released DAS-WAF v.4.0.
DBAPPSecurity is assessed as a Niche Player because it primarily sells its WAF solution to midmarket organizations in China only. DBAPPSecurity is a good shortlist candidate in China for SMBs and smaller enterprises in financial and government sectors.
Strengths
- DAS-WAF includes automatic policy learning and Web application caching, and it can operate in reverse-proxy, transparent proxy or monitoring mode.
- Clients mention good price and local presence as reasons to select DAS-WAF.
- DAS-WAF can integrate with the vendor's vulnerability scanner and database security products.
Cautions
- DBAPPSecurity's WAF lags behind several competitors' WAFs in areas such as role-based management, detailed activity reports and authentication features. Clients mention that the management and reporting consoles require improvements.
- DBAPPSecurity has very limited market visibility and does not appear on Gartner clients' WAF shortlists outside of China. It serves primarily midsize organizations.
- The vendor did not provide international client and value-added reseller (VAR) references to Gartner. There is limited information available on the international version of its website. Prospective customers considering DBAPPSecurity WAF outside of China should request peer references, check vendor and channel expertise, and perform a proof of concept before purchase.
- DBAPPSecurity's strategic focus is on its security scanners. DAS-WAF's recent updates and roadmap are limited to marginal improvements.
DenyAll
DenyAll is based in Sevres, France, and has marketed its WAF technology (rWeb) since 2001. Later, it added sProxy (a plug-in to rWeb with predefined policies for email, SharePoint and SAP) and rXML (a Web services firewall). Following the acquisition of French WAF vendor BeeWare in May 2014, DenyAll continues to offer two WAF product lines, now called DenyAll rWeb and DenyAll WAF. Its portfolio also includes DenyAll WAM, DenyAll Web Service Firewall (WSF) and DenyAll Vulnerability Manager. DenyAll WAFs are currently available predominantly installed on-premises, although they are available as a managed service through a small group of managed security service partners (MSSPs). The WAF technology can be deployed as software or an appliance (physical or virtual). DenyAll WAFs are already available via AWS and Microsoft Azure. The vendor also provides a cloud-based WAF ("as a service") called Cloud Protector.
DenyAll mostly focuses on the French market, and also on the European market, where it primarily targets midsize and large enterprises in the financial, utility and government sectors. Despite the BeeWare acquisition, DenyAll remains a relatively small vendor in the WAF market, but is able to sustain a focus on technology innovation.
DenyAll is assessed as a Visionary, because it manages to win WAF evaluations based on its WAF security features and to maintain a steady pace of security developments. European organizations that are looking for high security first should consider adding DenyAll to their shortlists.
Strengths
- DenyAll's customers list high-quality support and responsiveness to feature requests as a reason to select the vendor.
- DenyAll's technology includes several advanced protection techniques, including JSON traffic analysis/protection, code leakage detection and a lightweight browser agent.
- DenyAll wins deals among Type A security-conscious prospects. Its ambitious roadmap indicates a continued focus on security-first customers.
- The vendor also offers a comprehensive list of anti-evasion techniques and a scoring list feature (a weighted scoring approach in addition to signatures) for protection against attacks, such as SQL injection (SQLi) and cross-site scripting (XSS).
- DenyAll enables correlation between its WAF and dynamic application security testing (DAST) to increase the accuracy of detection and protection.
Cautions
- DenyAll mainly focuses on the French and EU markets, which limits its visibility and adoption in other geographies. Through partners, it has expanded its reach into certain Middle Eastern, South American and Southeast Asian nations, and is looking to increase its U.S. presence.
- Gartner has not yet observed any negative impact coming from the acquisition of BeeWare on DenyAll's WAF security roadmap, but the acquisition has already presented challenges for legacy BeeWare customers. It is difficult to find BeeWare product information on the combined website, and the product life cycle for those products is unclear.
- DenyAll's organic growth is low compared with the Leaders, Challengers and even some Niche Players in this Magic Quadrant.
- DenyAll's reporting and logging are areas that customers say need improvement.
- DenyAll's WAF correlation process between WAF and DAST mainly focuses on WAF integration with its own DAST, but not DAST from other application security testing vendors. Therefore, the value of the integration depends on DenyAll's ability to continually improve its DAST product.
Ergon Informatik
Swiss vendor Ergon Informatik, headquartered in Zurich, Switzerland, has been shipping its WAF technology (Airlock WAF) for more than 15 years. In 2015, Ergon rebranded its product offering, creating the Airlock Suite, which includes WAF, IAM and the more basic authentication module, Airlock Login. Airlock WAF can be deployed as a reverse proxy; is available as a hardware, software or virtual appliance; and can run on Amazon Elastic Compute Cloud (EC2). Its pricing is primarily based on the number of protected Web applications and additional modules, such as SSL VPNs, XML security or graphical reports, which are available for an additional one-time fee.
Ergon Informatik is assessed as a Niche Player mainly because most of its Airlock WAF wins are in Europe and many of them are based on the perceived combined value of WAF and one of its authentication modules. The vendor is a viable shortlist candidate for organizations' WAF projects, especially large banking and insurance enterprises in Europe and the Middle East that have access management needs.
Strengths
- Ergon Informatik's customers give good scores for the efficiency of its support and the robustness of the WAF solution when deployed in production environments.
- Airlock's most recent update made it easier to manage security signatures and improved the visibility over security features for the administrator of the WAF component.
- Airlock includes extensive techniques for Web application parameters, with URL encryption, various cookie protections (including a cookie store) and form parameter integrity checks.
- Airlock's integration of a full IAM solution adds comprehensive authentication and SSO features. Airlock Login — its simplified version — provides a cost-effective alternative.
Cautions
- Airlock lacks some of the advanced security features that enterprises might require, including automatic policy learning and CSRF token injection.
- Airlock does not offer centralized management and has a lower number of WAF deployments protecting a large number of different Web applications than the Leaders and Challengers in this Magic Quadrant.
- Airlock provides only a Splunk App, but the vendor reports that its customers have integrated with the leading SIEM technologies.
- Airlock has very low visibility among Gartner's client base.
F5
Seattle-headquartered F5 (FFIV) is an application infrastructure vendor that is focused on ADCs. The primary WAF offering is a software module called Application Security Manager (ASM) for the F5 Big-IP ADC platform, often sold as a component of F5's Best bundle of services. Other F5 security modules include the network firewall Advanced Firewall Manager (AFM), the Access Policy Manager (APM) module, and the more recent Secure Web Gateway services and WebSafe Web fraud protection services. ASM is also available on the virtual edition of Big-IP. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF).
F5 introduced several new WAF models in 2014. It also introduced new features, including the ability for ASM to integrate with the new Silverline anti-DDoS service. In the first half of 2015, it added the Silverline WAF service as a cloud-delivered service.
F5 is assessed as a Challenger because of its strong ability to sell WAF as a companion to its ADC module. F5 has more limited success when it tries to displace Leaders when WAF evaluations put the highest weight on security features. The vendor is a good shortlist candidate, especially for large organizations that value automated attack identification, and that own or are considering ADC technology.
Strengths
- Surveyed customers list WAF integration with ADC and other F5 functions as the most prominent criterion for selecting F5 ASM. Many Gartner clients have reported that F5 ASM has been a differentiator in their ADC decisions.
- F5's corporate teams and channels provide logistic capabilities and support that are greater and have more geographic coverage than the majority of WAF vendors.
- ASM utilizes the same management software that is familiar to F5 administrators. iRules scripting enables the creation of custom policies that complement the predefined rule sets.
- F5 has been active in adding new WAF features, including alert scoring for easier triage and geo-IP-based challenges. F5 also messages well on overall security.
- As a leading ADC vendor with a large installed base of clients, F5 leverages the scalability of its ADC Big-IP platforms and the strength of its ADC sales as the entry point for add-on WAF licenses. This gives existing F5 clients an easy path to add WAF to their security portfolio.
Cautions
- Users report difficulty in initial configuration and policy tuning, and report some difficulty maintaining things like reporting history and automated policy after reboot. Some Gartner clients have commented that ASM support can be challenging until escalated.
- Like other ADC-based WAFs, F5's WAF buyers are most likely to consider its WAF as a feature add-on to the accompanying ADC in reverse-proxy mode. This places F5 at a potential disadvantage versus pure-play WAFs when prospects have an incumbent ADC from another vendor.
- Many surveyed VARs reselling F5 also have a pure-play WAF in their portfolio. Clients interested in F5's WAF for high-security deployments should get a confirmation that the selected partner is sufficiently skilled on the ASM module to support this use case.
Fortinet
Based in Sunnyvale, California, Fortinet (FTNT) is a significant network security and network infrastructure vendor. It started as a unified threat management vendor in 2000. It later expanded its portfolio to include multiple security offerings, including a WAF (FortiWeb, released in 2008), an ADC (FortiADC) and a database protection platform (FortiDB). The vendor remains most well-known for its FortiGate firewall, which is its most dynamic product line.
FortiWeb provides multiple deployment options with a physical or virtual (FortiWeb-VM) appliance, and acts as a reverse/transparent proxy or not in-line. It is also available on AWS and can be purchased as an on-demand instance. FortiWeb subscriptions include IP reputation, antivirus and security signature updates.
During the last 18 months, Fortinet released four incremental updates (v.5.1 to v.5.4), adding templates for well-known Web applications, support for perfect forward secrecy (PFS) cipher suites and integration with ArcSight SIEM. It also released an entry-level appliance, the FortiWeb 100D, and refreshed its high-end WAF appliances.
Fortinet is assessed as a Niche Player because, despite its large existing channel, its WAF solution did not succeed in broadly reaching enterprise WAF buyers. The vendor's current customers and midsize organizations should include Fortinet's WAF in their competitive assessments.
Strengths
- Clients cite vendor reputation, competitive prices and satisfaction with other products from Fortinet as reasons to purchase FortiWeb.
- FortiWeb relies on a solid hardware product line with accelerated SSL decryption. Straightforward documentation on product performance and limitations per deployment mode help to ensure reliable product sizing practices across Fortinet's channel.
- Clients purchasing FortiWeb frequently use its antivirus engine for malware inspection on file sharing Web services. Gartner expects the integration with sandboxing to further improve the relevance of FortiWeb for this use case.
- FortiWeb includes an integrated vulnerability scanner, OOB deployments and a good number of predefined reports.
- FortiWeb has a good set of features, including automatic policy learning, IP reputation (maintained by the FortiGuard team), cookie signing, SSL acceleration, Web application caching and bot detection.
Cautions
- FortiWeb is a secondary product for Fortinet compared to FortiGate, with only a narrow portion of the Fortinet channel actively selling its WAF. Gartner believes that local technical skills availability is much scarcer than those relating to network firewalls.
- Clients report that deploying FortiWeb in nontrivial application environments might require a fair amount of fine-tuning for a prolonged period of time to avoid false positives.
- Fortinet does not offer WAF functionalities on top of its ADC, and does not provide a WAF as a cloud service. The vendor also does not offer some features that security-conscious organizations request, such as hardware security module (HSM) support or integration with DDoS cloud-based protection services. It integrates only with Acunetix DAST solutions.
- FortiWeb has limited integration with other Fortinet solutions, thereby limiting the benefits for current Fortinet customers mostly to a common log reporting solution (FortiAnalyzer).
- Fortinet's WAF rarely appears on WAF selection shortlists and is mostly seen in compliance-driven WAF selections.
Imperva
Headquartered in Redwood Shores, California, Imperva (IMPV) is a security vendor with a long WAF legacy under the SecureSphere brand. Other Imperva products are focused on data security, including products for database audit and protection, file activity monitoring, both application and volumetric DDoS prevention, and the Imperva Skyfence cloud access security broker (CASB). Imperva also has two packages for security monitoring and managed services of the SecureSphere and Incapsula WAFs.
Early on, Imperva positioned itself primarily as a transparent bridge deployment. This aligned it with enterprises, because deployments could more easily be made behind ADCs without introducing a second proxy, and "try before you buy" was easier with the transparent, yet in-line, mode, especially when incumbent ADCs were proposing their own WAFs. As most pure-play competitors were acquired or disappeared, Imperva continued to grow its share of the WAF market.
Imperva Incapsula is the cloud-based or as-a-service WAF that is bundled with other services, including DDoS mitigation. ThreatRadar is the family of add-on subscription services available for SecureSphere, delineated into four offerings: reputation, anti-bot, anti-fraud and community defense. The SecureSphere WAF is available for AWS, as a virtual appliance and on seven appliance models supporting up to 10 Gbps. Two models of physical and virtual appliances are also available for dedicated management.
Gartner sees a good attach rate level for Imperva's WAF with its database security offering. The vendor has a good third-party ecosystem, which includes data loss prevention, anti-fraud, SIEM and vulnerability scanners.
Imperva is assessed as a Leader, because it continually wins based on security features and innovations, and resists price pressure from direct competitors with the recognition of its premium offering. Imperva is a strong shortlist contender for organizations of all sizes, especially those with high-security requirements or those looking for an easy-to-deploy, cloud-based WAF.
Strengths
- Gartner sees Imperva consistently scoring very high and/or winning competitive assessments done by Gartner clients, with a high success rate when security, reporting and protection, rather than detection, are the most weighted criteria. Postsales, Gartner client commentaries also usually are very positive.
- Imperva has continually led the WAF market in new features that forced competitors to react; it also includes several advanced techniques for better efficiency of protection that its competitors lack. Thus, it is a good shortlist contender when protection is foremost and having a different vendor for WAFs and ADCs is an acceptable scenario. Clients using Imperva's "manager of manager" option is another sign of the vendor's presence in large deployments.
- The vendor has consistently and effectively messaged on and delivered WAF features in response to changes in the data center and the application threat landscape, such as the first integration between Incapsula WAF and Skyfence CASB. Imperva has done well in thought leadership and threat reporting for new Web-based attacks.
- Having the WAF-as-a-service Incapsula and on-premises SecureSphere options gives Imperva access to a larger addressable market in the enterprise and SMBs. This provides a transition path for clients whose application security needs change, and Incapsula is a good source to feed SecureSphere's threat intelligence (ThreatRadar Reputation Services).
- Like the on-premises SecureSphere, Incapsula continually scores high in Gartner client feedback versus other in-the-cloud WAFs.
Cautions
- As a premium enterprise product, Imperva SecureSphere is usually too advanced for SMBs, or for projects where the WAF is being deployed only as a "check the box" measure to meet compliance requirements. Enterprise clients cite SecureSphere's premium price as the main reason to select an alternate WAF solution. This is especially true when competing with ADC vendors.
- Although Imperva consistently scores highest in security capability, SecureSphere faces the most competition from WAFs provided by ADC vendors, which often already have products on-site with customers and can offer a WAF via a license key. These customers do not want to pay the premium for a point security product.
- Imperva's clients and prospects frequently feel pressure from Imperva's channel and sales team to integrate with its database solutions, which increases the total costs of Web application security projects and lengthens the purchase cycle with additional discussions between the data and network security buying centers for a yet unproven combined benefit.
- Clients report occasional frustration with Imperva's management console, which they find a bit dated, especially when deploying clusters of applications.
- Although Gartner has not observed it as a barrier to any deals, Imperva only supports AWS at present, whereas competitors have versions for other cloud platforms.
NSFOCUS
NSFOCUS is based in Beijing, China. It started in 2000 as a provider of an anti-DDoS solution (ADS Series), and then introduced new product lines for intrusion prevention (NIPS Series) and a vulnerability scanner (RSAS Series). NSFOCUS's WAF (WAF Series) offering was first released in 2007. It is delivered as a physical or virtual appliance, and can perform in reverse- or transparent proxy mode, and support OOB deployment. NSFOCUS also offers centralized management software (Enterprise Security Manager), along with managed services for its WAF.
The vendor recently announced IPv6 support and a new high-end WAF appliance aimed at midsize organizations.
NSFOCUS is evaluated as a Niche Player for the WAF market because a majority of its WAF sales are connected to other NSFOCUS products in the Asia/Pacific region. NSFOCUS's WAF is a good shortlist candidate for the vendor's current customers, and for SMBs and larger organizations in China.
Strengths
- Clients selecting NSFOCUS's WAF often report competitive price and performance, especially low latency, as being decisive factors. NSFOCUS has recently added a localized GUI for its Japanese clients.
- The WAF can redirect incoming Web traffic to NSFOCUS's anti-DDoS ADS devices located on a cloud infrastructure when congestion is detected, and then switch back to normal.
- The WAF has a good mix of local and global product certification, including ICSA Labs WAF certification.
- NSFOCUS's WAF integrates with its DAST product, NSFOCUS Web Vulnerability Scanning System (NSFOCUS WVSS).
Cautions
- NSFOCUS is not visible in WAF offering evaluations outside of China. Its international channel's technical investment in WAF still lags behind the other products, which can limit the availability of local skilled resources for support.
- NSFOCUS's WAF lags behind the Leaders in some enterprise-class features, such as limited role-based management, active-active clusters restricted to two appliances, and no SSL acceleration or HSM.
- NSFOCUS's WAF does not provide authentication features.
- Surveyed clients report that automatic policy learning could be easier to fine-tune.
- NSFOCUS's WAF integrates with the vendor's vulnerability scanner (RSAS); however, to date, there are no integrations with third-party SIEM or vulnerability scanners.
Penta Security
Established in 1997, Penta Security is headquartered in Seoul, South Korea. Its product portfolio includes WAFs (Wapples), database encryption (D'Amo) and authentication/SSO (ISign Plus). Wapples is offered as a physical or virtual appliance (Wapples V-Series) and as a cloud service (Cloudbric). A centralized WAF management system (Wapples MS) and a free-to-use monitoring cloud-based Web portal (WMP) are also available. Penta Security emphasizes Wapples' "logic detection" technology, which does not require regular signature updates.
Last year, the vendor launched WAF as a service (Cloudbric) and signed partnerships with a few telecom providers to offer its WAF as a service. The vendor also refreshed its Wapples appliance line with four new appliances and added support for JSON inspection.
Penta Security is rated as a Niche Player because of its limited presence outside of its home market. Enterprise buyers should consider Penta Security for WAF selection, but should verify the availability of local technical support and require peer references first.
Strengths
- Surveyed clients praise Penta Security's WAF ease of deployment and low operational workload. They give good scores for the quality of the protection and for the low false-positive rate.
- Wapples is the only WAF evaluated in this research with Common Criteria EAL4 certification.
- Wapples includes parameter and cookie security features, and it can create whitelists from IP reputation feeds. Its audit logs provide good traceability of configuration changes. Cloudbric, its cloud WAF, is free for up to 4GB of data per month.
- Penta Security's local partnership agreement with telecom providers offers an easy option to combine cloud-based DDoS protection with the WAF.
Cautions
- Wapples includes limited automation features to create its security policy from Web application behavior. Even if multiple default security policies are available, it lacks predefined templates for well-known Web applications.
- Wapples security heavily depends on the robustness of its generic engine, with few complementary techniques available in case it fails to detect targeted attacks.
- Penta Security does not offer authentication features, which can limit its ability to integrate with internal Web applications.
- To date, integrations with third-party SIEM or Web vulnerability scanners rely on generic SNMP and syslog support.
- The vendor does not yet appear on Gartner clients' shortlists outside the Asia/Pacific region.
Positive Technologies
Positive Technologies is headquartered in Moscow, London and Boston, and has shipped its WAF, called PT Application Firewall, since 2013. Positive Technologies shipped its first WAF central management platform and introduced clustering capability in 2014. The vendor also has MaxPatrol (a vulnerability scanner that can look for general network vulnerabilities and SAP and ICS/SCADA vulnerabilities) and PT Application Inspector, which combines static, dynamic and interactive code analysis techniques. Positive Technologies' WAF product is currently available as a dedicated appliance, as a software version that can run on a third-party appliance and as a virtual machine that is predominantly installed on the enterprise's premises; it can also be delivered as a managed security service through carrier partners. PT Application Firewall is not available to secure workloads on public IaaS cloud platforms.
While Positive Technologies currently mostly sells in the EMEA markets, it is working to establish a firmer foothold in other markets in 2015. Its customers are distributed relatively evenly among the SMB, enterprise and large-enterprise segments. Most of its customers are governmental agencies and financial institutions. It is one of the smallest vendors included in this Magic Quadrant, but it's growing quickly while maintaining a focus on innovation.
Positive Technologies is rated as a Visionary because of its unique, leading-edge security features. Organizations that are looking for high security first should consider adding Positive Technologies to their shortlists, but verify the level of local expertise on and support for the technology.
Strengths
- Positive Technologies' customers list good security, ease of configuration through self-learning, and heuristics as reasons for selection.
- Partners and customers speak highly of the vendor's responsiveness to feature requests and the quality of technical support.
- PT Application Firewall enables reflected XSS detection by analyzing HTTP responses, and uses machine learning for anomaly detection.
- Positive Technologies has a strong capability, using templates to protect certain business applications, most notably SAP.
- The vendor enables correlation between its WAF and DAST/static application security testing (SAST) to increase the accuracy of detection and protection.
Cautions
- Positive Technologies' WAF is a young product; therefore, it has been focused on a limited set of geographies. In 2015, the vendor plans to expand its reach into South American and North American nations, and certain Asia/Pacific region and Middle Eastern nations.
- The vendor lacks integration with Active Directory, and does not support hardware SSL offload.
- Positive Technologies' revenue is low compared with the Leaders, Challengers and most of the Niche Players in this Magic Quadrant. It does not show up as a top competitor among surveyed vendors, and Gartner seldom sees PT Application Firewall on client shortlists.
- Customers cite management console and inflexible reporting as areas for improvement.
Radware
Headquartered in Tel Aviv, Israel, and Mahwah, New Jersey, Radware (RDWR) delivers a variety of application delivery and security products. These security products include a hybrid DDoS mitigation tool (DefensePro), a DDoS protection virtual appliance (DefenseFlow), a DDoS protection managed service (DefensePipe) and a WAF (AppWall), which can be purchased individually or bundled together in Radware's Attack Mitigation System (AMS) offering. Radware has been shipping the AppWall WAF, which it acquired from Protegrity, since 2010. AppWall may be deployed as a physical or virtual appliance. Radware also provides a solution for the centralized management, monitoring and reporting of its own products (APSolute Vision).
During 2014, Radware released no new hardware models for AppWall. It did have new WAF service introductions, including a fully managed cloud-based WAF and an on-premises fully managed WAF service. Radware also introduced support for out-of-band WAF deployment integrated with the DefensePro appliance for mitigation.
Gartner rates Radware as a Niche Player because, despite recent efforts, its WAF still predominantly serves its current customer base of midsize and large enterprises. It is a good fit in security environments that use other Radware security or ADC products.
Strengths
- Among other deployment scenarios, AppWall can be deployed in transparent bridge mode while providing reverse-proxy capabilities to specific traffic. Combined with automatic policy learning, this enables AppWall to be deployed easily, with no configuration changes to the network.
- Surveyed Radware customers cite security and price as two primary reasons for selecting the vendor.
- Radware's WAF console includes strong service-provider-focused multitenancy capabilities, and integrates authentication and SSO modules.
- Radware has executed well on its roadmap for the past three years, showing a stronger commitment to the WAF market than many of the other Niche Players in this Magic Quadrant.
Cautions
- AppWall lacks integration with third-party dynamic vulnerability scanners and database monitoring solutions.
- Radware was slow to integrate AppWall as a module with the Radware Alteon ADC (it was added in June 2014), thereby putting the vendor at a competitive disadvantage with fully integrated ADC/WAF competitors. Since then, Gartner has not seen many deals with AppWall sold alongside Alteon.
- Radware has low visibility on Gartner client WAF shortlists. It gets fewer mentions in Gartner client inquiries than several of its direct competitors.
Trustwave
Based in Chicago, Trustwave provides managed services around its comprehensive portfolio of network security solutions, including its WAF, secure Web gateway, IPS, application security and SIEM offerings. Trustwave is also a qualified security assessor (QSA) for PCI DSS. The Trustwave WAF was first available in 2006 as a physical appliance (TX Series), and then in 2013 as a virtual appliances (VX Series) for VMware hypervisors. Trustwave's WAF works with other solutions from the vendor, including the SIEM and vulnerability scanner. Trustwave also supports the open-source ModSecurity WAF, and provides a commercial signature package that is maintained by SpiderLabs, its threat research team.
In April 2015, Singtel announced its intention to acquire Trustwave and that Trustwave will continue to operate as a stand-alone business unit after the acquisition closes. Recently, Trustwave and WAF competitor Akamai agreed on an alliance to resell select solutions from each other.
Trustwave is assessed as a Niche Player because many of its WAF sales come from compliance projects in North America with focused security requirements. Trustwave is a good choice for organizations in North America that are seeking PCI compliance, and is a logical shortlist candidate for businesses looking for a managed WAF.
Strengths
- Trustwave's support of ModSecurity gives its large threat research team (SpiderLabs) access to feedback from its community, which is useful for improving the quality of its WAF — notably the recently introduced IP reputation subscription.
- Trustwave's WAF provides a PCI-ready default configuration. Its well-crafted OOB deployment mode, with multiple types of blocking capabilities and the ability to decrypt SSL connections using a copy of the network traffic, appeals to its WAF clients.
- With its latest release (v.7.0), Trustwave WAF can inspect JSON content and deploy signatures automatically.
- Clients report that they have confidence in the SpiderLabs team's expertise.
Cautions
- The impact of the Singtel acquisition could influence Trustwave's roadmap and switch the focus to other products and services. It also could alienate some channel partners in regions where Singtel operates.
- Gartner sees Trustwave's partnership with Akamai as a double-edged sword for Trustwave customers, offering them a cloud option with a known brand, but vastly different technology, pricing and management approaches when migrating their Web application to the cloud.
- Except for compliance projects in North America, Gartner rarely sees Trustwave on WAF shortlists.
- Clients cite centralized management and the false-positive rate (in default configuration and subsequent application changes) as needed improvements.
- Trustwave lags its competitors in several areas, including authentication, in-house protection against application DDoS, integration with third-party SIEM and Web application delivery optimization.
United Security Providers
United Security Providers, headquartered in Bern, Switzerland, provides a WAM solution (USP Secure Entry Server) that includes a tightly integrated WAF, authentication server and XML gateway. It also offers managed security services, including products from other vendors. The WAF is available as a physical, software or virtual appliance, and as a cloud service. USP also provides MSSP services for its WAF.
In 2014, United Security Providers introduced nine new WAF models and recently signed its first distributor in the U.K.
United Security Providers is assessed as a Niche Player because it serves almost only Swiss and German clients, even though the vendor began to intensify its efforts for international expansion in 2014. The vendor's WAF best-serves organizations with authentication and security needs to protect Web applications with restricted access requirements.
Strengths
- The integration with the WAM solution offers a lot of flexibility for authentication and SSO, which can be factored into WAF security decisions.
- United Security Providers has recently started operations in the U.K., with dedicated objectives for WAF expansion, and has further developed its WAF appliance product lines. Gartner sees these moves as good first signals for a future increased focus on WAF client needs.
- United Security Providers' WAF includes advanced security features, such as URL encryption, protection against CSRF, cookie security and Web client fingerprinting. It also supports JSON and WebSockets.
- The vendor has a faithful base of clients and channel partners. When surveyed, clients mentioned positive feedback from peer references as a reason to select United Security Providers. They give good scores to its support and professional service, and to the vendor's WAF managed services offering.
Cautions
- United Security Providers increased its efforts in WAF product development, but its marketing remains primarily centered on WAM buyers.
- Surveyed clients indicate that the management and reporting console could be improved.
- The vendor's WAF can't redirect traffic to a DDoS protection cloud or integrate with third-party DDoS protection. It does not integrate with any of the leading application security testing vendors, and has integration with SIEM using syslog only.
- Outside of Switzerland, United Security Providers does not appear on Gartner competitive shortlists for WAF, and it is not mentioned as a competitor by other vendors for WAF selections.
Vendors Added and Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Added
- Positive Technologies
Dropped
- BeeWare was acquired by DenyAll
Inclusion and Exclusion Criteria
WAF vendors that meet Gartner's market definition/description are considered for this Magic Quadrant under the following conditions:
- Their offerings can protect applications running on different types of Web servers.
- Their WAF technology is known to be approved by qualified security assessors as a solution for PCI Data Security Standard (DSS) Requirement 6.6 (which covers Open Web Application Security Project [OWASP] Top 10 threats, in addition to others).
- They provide physical, virtual or software appliances, or cloud instances.
- Their WAFs were generally available as of 1 January 2014.
- Their WAFs demonstrate features/scale relevant to enterprise-class organizations.
- They have achieved $4 million in revenue from the sales of WAF technology.
- Gartner has determined that they are significant players in the market due to market presence or technology innovation.
- Gartner analysts estimate that the vendor's WAF technology provides more than repackaged ModSecurity engine and signatures.
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
- The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
- The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
- The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and Internet service providers that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
- The vendor has a host-based WAF or API security gateway (these are considered distinct markets).
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including: A10 Networks, Alert Logic, Array Networks, Brocade, CloudFlare, DB Networks, ditno, Indusface, Instart Logic, Kemp Technologies, Piolink, Qualys, Sangfor, Sucuri, Venustech, Verizon and ZenEdge.
The different markets focusing on Web application security continue to be highly innovative. The vendors included in this Magic Quadrant participate, as do others that are not included. Those vendors take part in Web application security, but often focus on specific market needs, or take an alternative approach to Web application security. Examples include Juniper Networks (with its WebApp Secure product), Sentrix and Shape Security.
Evaluation Criteria
Ability to Execute
- Product or Service: This includes the core WAF technology offered by the technology provider that competes in/serves the defined market. This also includes current product or service capabilities, quality, feature sets, and skills, whether offered natively or through OEM agreements/partnerships, as defined in the Market Definition/Description section. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continually deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company's ability to execute. Some key features, such as the ability to support complex deployments, including on-premises and cloud-based options, with real-time transaction demands, are weighted heavily.
- Overall Viability: This includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue to invest in WAF, offer WAF products, and advance the state of the art within the organization's portfolio of products.
- Sales Execution/Pricing: This is the technology provider's capabilities in all presales activities and the structure that supports them. It includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. It also includes deal size, as well as the use of the product or service in large enterprises with critical public Web applications, such as banking applications or e-commerce. Low pricing will not guarantee high execution or client interest. Buyers want good results more than they want bargains.
- Market Responsiveness/Record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and security trends and customer needs evolve. A vendor's responsiveness to new or updated Web application frameworks and standards, as well as its ability to adapt to market dynamics, changes (such as the relative importance of PCI compliance). This criterion also considers the provider's history of releases, but weights its responsiveness during the most recent product life cycle higher.
- Marketing Execution: This is the clarity, quality, creativity and efficacy of programs that are designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in buyers' minds. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities.
- Customer Experience: This assesses the relationships, products and services/programs that enable clients to be successful with the products that are evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
- Operations: This is the organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Source: Gartner (July 2015)
Completeness of Vision
- Market Understanding: This is the technology provider's ability to understand buyers' wants and needs, and to translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance them with their added vision. They also determine when emerging use cases will greatly influence how the technology has to work.
- Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
- Sales Strategy: This is the strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates to extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. The ability to attract new customers in need of Web application security only has a strong influence on this criterion.
- Offering (Product) Strategy: This is the technology provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. As attacks change and become more targeted and complex, we highly weight vendors that move their WAFs beyond rule-based Web protections that are limited to known attacks. For example:
- Enabling a positive security model with automatic and efficient policy learning
- Using a weighted scoring mechanism based on a combination of techniques
- Providing updated security engines to handle new protocols and standards (such as JSON, HTML5, SPDY, IPv6 and WebSockets), as well as remaining efficient against the changes in how older Web technologies (such as Java, JavaScript and Adobe Flash) are used
- Actively countering evasion techniques
- Business Model: This is the soundness and logic of a technology provider's underlying business proposition.
- Vertical/Industry Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. This criterion is not rated this year.
- Innovation: This is the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. It includes product innovation and quality differentiators, such as:
- New methods for detecting Web attacks and avoiding false positives
- A management interface, monitoring and reporting that contribute to easy Web application setup and maintenance, better visibility, and faster incident response
- Integration with companion security technologies, which improves overall security
- Geographic Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography — either directly or through partners, channels and subsidiaries — as appropriate for those geographies and markets.
Source: Gartner (July 2015)
Quadrant Descriptions
Leaders
The Leaders quadrant contains vendors that have the ability to shape the market by introducing additional capabilities in their offerings, by raising awareness of the importance of those features and by being the first to do so. They also meet the enterprise requirements for the different use cases of Web application security.
We expect Leaders to have strong market share and steady growth, but these alone are not sufficient. Key capabilities for Leaders in the WAF market are to ensure higher security and smooth integration in the Web application environment. They also include advanced Web application behavior learning; a superior ability to block common threats (such as SQLi, XSS and CSRF), protect custom Web applications and avoid evasion techniques; and strong deployment, management, real-time monitoring, and extensive reporting. In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements and evolution in Web applications that will require paradigm changes.
Challengers
Challengers in this market are vendors that have achieved a sound customer base, but they are not leading on security features. Many Challengers leverage existing clients from other markets to sell their WAF technology, rather than competing on products to win deals. A Challenger may also be well-positioned and have good market share in a specific segment of the WAF market, but does not address (and may not be interested in addressing) the entire market.
Visionaries
The Visionaries quadrant is composed of vendors that have provided key innovative elements to answer Web application security concerns. They devote more resources on security features that help protecting critical business applications against targeted attacks. However, they lack the capability to influence a large portion of the market; they haven't expanded their sales and support capabilities on a global basis; or they lack the funding to execute with the same capabilities as vendors in the Leaders and Challengers quadrants. Visionaries quadrant vendors also have a smaller presence in the WAF market, as measured by installed base, revenue size or growth, or by smaller overall company size or long-term viability.
Niche Players
The Niche Players quadrant is composed primarily of smaller vendors that provide WAF technology that is a good match for specific WAF use cases (such as PCI compliance), or those that have a limited geographic reach. The WAF market includes several European and Asian vendors that serve clients in their regions well with local support and an ability to quickly adapt their roadmaps to specific needs; however, they do not sell outside their home countries or regions. Many Niche Players, even when making large products, offer features that would suit only SMB and smaller enterprises' needs.
Vendors in this quadrant may also have a small installed base or be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investments or capabilities, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on a vendor's value in the more narrowly focused service spectrum.
Context
Gartner generally recommends that client organizations consider products from vendors in every quadrant of this Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the WAF market, which includes a large number of relatively small vendors, or larger vendors, but with a small share of their revenue coming from their WAF offerings. Product selection decisions should be driven by organization-specific requirements in areas such as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposures of business-critical and custom Web applications, and the vendor's local support and market understanding.
Security managers who are considering WAF deployments should first define their deployment constraints, especially:
- Their tolerance for a full in-line reverse proxy with blocking capabilities in front of the Web applications
- The benefits and constraints of the different WAF delivery options: dedicated appliances, CDNs, ADCs and cloud services
- SSL decryption/re-encryption and other scalability requirements
For more information on WAF technology selection and deployment challenges, see "Web Application Firewalls Are Worth the Investment for Enterprises."
Market Overview
Gartner estimates that the WAF market amounts to $420 million in 2014, growing 24% compared to 2013. The Americas represent 45% of the total market, EMEA accounts for 29% of the market and the Asia/Pacific region accounts for 26%.
The WAF market includes different categories of vendors. In 2013, dedicated WAF offerings from pure players and network security vendors dominated the market with more than 50% of the WAF revenue. Large ADC vendors that were the first to add WAF capabilities have good market shares, leveraging their existing client bases. Smaller ADC vendors now have also added the WAF option (A10 Networks in 2013, Kemp Technologies in 2014). They offer lower costs than dedicated technology, and emphasize easy integration and high performance to win WAF deals. Various CDN and anti-DDoS cloud providers now offer WAF subscriptions, growing quickly and from a small base.
PCI and other compliance requirements are still mentioned as the primary reasons for WAF purchases in 25% to 30% of inquiries with Gartner clients, especially in midsize organizations and smaller enterprises. With PCI 3.0, Requirement 6.6 was updated, loosening slightly the constraints on WAF deployment, but this change did not affect the WAF market.1
However, 2014 has been marked by stronger positions from security buyers with more differentiated needs for good-enough WAF and high-security requirements. The growing number of ADCs and cloud services integrating WAF as a feature raises the awareness of Web application security requirements, but might also put additional price pressure on pure-player WAF vendors when they are unable to justify the higher deployment costs with proven results on how they provide higher security, but also reduce overall workload with better management and reporting tools. WAF delivered as a service continues to gain traction, and its ease of deployment appeals to more and more security buyers. Still, the maturity of these cloud offerings can often be far from best of breed, especially the ability for their clients to act on false alerts or to get more than a set of repackaged signatures protecting predominantly against injection flaws.
In May 2014, French WAF vendor DenyAll acquired its French competitor BeeWare. In April 2015, Singtel announced its intention to acquire Trustwave. Gartner believes that more mergers and acquisitions are likely to happen in the upcoming years, as large security vendors look for growth opportunities and smaller vendors try to reach critical size.
The open-source module ModSecurity and the more recently released IronBee are also considered cost-effective competition for commercial WAF, especially for good-enough WAF use cases.
Organizations Better Understand the Value of WAF Technology, but Expect More Benefits
Gartner already sees Type A organizations (see Note 1) continue to deploy WAFs for their public and internal Web applications, even when there are no compliance constraints. Thanks to cloud-based offering and virtual appliances available on IaaS (such as AWS), WAF technology now reaches smaller enterprises and midsize organizations, especially when bundled with DDoS protection and CDN features.
With a growing number of WAF upgrades, the selection process integrates more stringent requirements, as a result of the experience gained from previous WAF projects. To continue to grow in the future, WAF vendors need to satisfy these upgraded demands, and to justify the investment not only with ease of use and smooth integration, but also with strong and actionable security measures. While many WAF vendors highlight their partnerships with application security testing providers, only a subset of the Type A enterprises effectively manage to gain sufficient benefits from the integration, partly due to the partial automation of the virtual patching workflow. Integration with third-party solutions (AST, database monitoring, Web access management) also creates a risk of diluted value for WAF technology as a stand-alone option.
Gartner clients also often complain about WAF reporting for security analysts and the limited automation available to remediate attacks or fix false positives. Reliance on positive security models (whitelists or policies derived from automatic Web application behavior learning engines) in prevention mode and automatic deployment of virtual patches are rare, and are signs of security teams' aversion to any risk of incident that could disrupt business applications. These perceived limitations profit some MSSP offerings, which increasingly convince organizations to subscribe to their managed WAF service.
The most successful WAF vendors understand and continue to invest in tighter integration of security features in the WAF platform. Other vendors maintain their investment in the WAF technology at a good-enough level to follow the evolution of the Web standard but, with time, move closer to good-enough-only, making it harder to win against platforms integrating WAF as one of many features.
Organizations that handle very large public Web applications will also require better automation during the staging, but also in cases of frequent Web application changes. They will also require optimized operational costs, with larger appliances replacing complex cluster architectures. In addition, security for mobile Web applications, cloud hosting and cloud services implies new security measures and an alternative deployment setup that could impact how the WAF market evolves in the future.
Increased visibility into well-known Web application behavior, better security against targeted attacks and ease of use will continue to be highly weighted in competitive evaluations; however, incremental improvements alone won't be sufficient to maintain a long-term high growth rate. WAF vendors must also find new ways to provide high value to client organizations, and to adapt to new methods of delivery and consumption for Web applications and services.