Let’s face it: Web application firewalls (WAFs) rarely excite the security imagination. WAFs have been ubiquitous for at least 15 years and play an important role in detecting and blocking OWASP Top 10 application level attacks like SQL injection and cross-site scripting. WAFs are table stakes in any environment, but they suffer from the perception that nothing is new.

The Forrester Wave™: Web Application Firewalls, Q1 2020” warns that things are changing. Application attacks continue apace, and WAF providers that merely focus on protecting against the OWASP Top 10 won’t remain relevant. Over the past year, organizations such as Hostinger and Xiaomi have been subject to attacks via their APIs, and attackers have breached thousands of sites, including Macy’s and the Baseball Hall of Fame, through client-side components. The leading WAF providers must provide an integrated approach to old and emerging attack approaches.

Some WAF providers have responded to the changing dynamics by adding additional API protections or client-side attack prevention. Others have amped up their threat intelligence. Several WAF vendors have acquired major bot management players over the past 18 months. A few long-time vendors are investing in necessary UI and dashboard upgrades.

For this Wave, we evaluated 10 providers, combing through questionnaires, demos, and documentation to compare their offerings. What left the biggest impression, however, were the customer references. Organizations want more from their WAF providers — and the degree of negative feedback from vendor-supplied references in this Forrester Wave warns that, unless vendors adapt quickly, the WAF market is ripe for disruption.