web analytics

The 2025 WAF Wave from the Other Side – Source: securityboulevard.com

the-2025-waf-wave-from-the-other-side-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: David Holmes

Forrester just published its 2025 Web application Firewall Wave. As a former industry analyst, and as a contributor on the vendor side for Imperva (cough, a leader in the report, cough), let me share some reactions on the shape of this report.

The Center of the Universe

The first top level header (H1 in the industry parlance) of the report asserts that the WAF has become ”The Center Of Application Protection Suites.”  I absolutely agree with this statement, and have been saying this myself for years.  The WAF is similar to the Network Firewall (I used to cover that space) in that, no matter how many times it is pronounced DOA, it just keeps growing and absorbing any adjacent technologies.  The network firewall did this with similar inspection controls like IDS/IPS and malware detonation. The WAF has done it with bot management and now API security. For the curious, why doesn’t the Network Firewall absorb the WAF? Most of the time WAF is in a B2C environment, not an enterprise environment. Different use cases, threat surface, buyers, partners, security policy, etc. The B2C WAF is largely safe from the Network Firewall, and other enterprise-focused tools like CWPP and CNAPP. Even in the cases WAFs are used in enterprise environments, the problem space is just too big to be collapsed into a network firewall (think bot management, DDoS protection, SSL decryption, API security, etc).

Efficacy vs Operational Efficiency

A top consideration for buying a WAF, according to the report, is to consider its efficacy in both terms of false positives and false negatives. The former adds friction, which is poison in the B2C world, and the latter erodes effectiveness and generates mistrust to the security team. My reaction: this is also spot on. One of the challenges of the conventional WAF is policy management and “tuning” to avoid false positives. Constant tuning, when not done, is technical debt. We have many competitors where 90% of their customers never put their WAF in blocking mode, because of too many false positives. Imperva’s approach to the cloud WAF is “just let us do the work for you.” Over 96% of Imperva Cloud WAF customers just onboard their application and let us handle the day-to-day policy changes. That’s what makes us different, and, we think, contributed to our top score in the “Adoption” criteria of the evaluation.

Techstrong Gang Youtube

AWS Hub

API Ready or just API Curious?

An astute reader of the evaluation will notice that one of the first criteria is API discovery and protection. Most customers know that they have exposure here (and want to know their risk). The API security market is growing over 20% YoY!  There are still a few standalone API sec solutions out there, but by and large API security has become a function of the standard AppSec stack. Consider this: all serious API security solutions operate asynchronously (not inline). When it’s finally time remediate, what component is going to do the blocking?  In most cases it will be the WAF, since it’s already there.  What about API gateways, some might ask. Great question, but the security team doesn’t own that component and would have to regularly negotiate with its owners for policy blocking. Siloed security teams are still a reality, so many are already looking for a security-team-only detection and response option.

Magecarts and Client Side Protection

The release of this report on Web Application firewalls is super timely because (here’s your last reminder): the PCI DSS 4.0 deadline to have client-side protection (CSP) against magecart attacks is in just a few weeks!  In my conversations with customers, it is a matter of urgency and this report can help generate shorter shortlists for shoppers. For example, none of the current hyperscaler WAFs have CSP, but of course, we do. Props to Forrester for including an explicit mention of CSP in our vendor scorecard, we do appreciate it.

As a leader in this report, we are of course licensing it for you and you can access a copy of it, and read more about the importance of industry analyst reports, at our launch blog here.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

The post The 2025 WAF Wave from the Other Side appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by David Holmes. Read the original post at: https://www.imperva.com/blog/the-2025-waf-wave-from-the-other-side/

Original Post URL: https://securityboulevard.com/2025/03/the-2025-waf-wave-from-the-other-side/?utm_source=rss&utm_medium=rss&utm_campaign=the-2025-waf-wave-from-the-other-side

Category & Tags: Application Security,Security Bloggers Network,Forrester Research,Imperva Cloud WAF – Application Security,Security Bloggers Network,Forrester Research,Imperva Cloud WAF

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos