At first glance, the web application firewall (WAF) market — populated by long time vendors with robust partner programs, extensive supporting services, and a slew of customer engagement opportunities — may seem like a space that has topped out. However, changes in how organizations develop and deploy applications — more hybrid cloud, more APIs, more automation — mean that WAFs have extended their protections to APIs, enhanced security operations integrations, added infrastructure-as-code (IaC) support, and worked to better embed threat intelligence with policy and analytics. As I conducted the evaluation for The Forrester Wave™: Web Application Firewalls, Q3 2022, a few things stood out:

  • Native API security capabilities have improved. Two years ago, state of the art in API security for WAFs was the ability to upload an API specification file and generate rules based on it. That’s now a baseline capability. Many vendors have added API discovery and schema enforcement to their WAF capabilities, and top vendors can generate API specification files based on analyzed traffic. Note that we are looking at API security capabilities native to the WAF offering, not through other API security products sold separately.
  • IaC support has become the norm. Almost all the Wave vendors have verified support for Terraform, and some offer support for other IaC tools too. APIs and command-line options are also available, but several reference customers shared that they have embraced IaC to manage their WAF configurations and deployments.
  • Vendors are investing in modern reporting. In my previous Waves (not just WAF), I have often found vendors’ reporting capabilities wanting, and customer references have agreed. Typically, reporting is the area that gets the most negative reference feedback. While not all the customer reference complaints have disappeared, feedback was much improved over previous years, indicating that vendors are making progress in this area. Several vendors have integrated modern reporting tools, offering customers more flexibility and new visualizations.
  • Vendors responded quickly to Log4Shell issues. Log4Shell was an avalanche of panic and work for security pros last year, and with WAF as one of the key defense points, we wondered how quickly vendors were able to help their customers and how well they communicated. It was a pleasant surprise to see that top vendors had issued new rules within hours or by the next day, posting regular blogs with updates and even hosting events to help customers understand the issues. Customer references were uniformly pleased with their vendors’ responses.

To learn more about the latest and greatest in the WAF market and how the players differentiate even in highly mature areas, check out The Forrester Wave™: Web Application Firewalls, Q3 2022, or set up an inquiry.