Web application firewalls (WAFs) are a critical component for robust application security. The best ones find the right balance between performance, security effectiveness, and cost.
The primary task for WAFs is to protect specific applications from web-based attacks at the application layer. However, WAFs continue to add advanced features like load balancing, intrusion prevention, threat intelligence, and more, so their role is expanding. At the same time, WAF technology is increasingly a part of more comprehensive security solutions like next-generation firewalls (NGFW), unified threat management (UTM), and more.
Standalone and comprehensive WAF solutions vary greatly in sophistication, pricing, ease of installation and use, and performance. We look at the top WAF vendors, followed by a deep dive into the products and WAF market to find what buyers should consider before purchasing.
WAF market
The web application firewall market is expected to grow at a CAGR of 16.92%, leaping from a valuation of $3.23B in 2020 to $8.06B in 2026. WAFs are in high demand in a world increasingly dependent on application resources.
WAF Solutions In Depth
eSecurity Planet surveyed the web application firewall market to come up with this list of the top WAF solutions and vendors. Here’s an in-depth look at those solutions, followed by a guide to the WAF market and buying considerations.
Jump ahead to:
- Akamai
- AWS
- Barracuda WAF
- Check Point
- Cloudflare
- F5
- Fortinet
- Imperva
- Microsoft Azure
- Radware
- Fastly-Signal Sciences
- SonicWall
Compare the Top Web Application Firewall Solutions
1 AppTrana
AppTrana is a fully managed Web application firewall, that includes Web application scanning for getting visibility of application-layer vulnerabilities; instant and managed Risk-based protection with its WAF, Managed DDOS and Bot Mitigation service, and Web site acceleration with a bundled CDN or can integrate with existing CDN. All of this backed with a 24x7 Managed Security Expert service to provide custom rules and policy updates with zero false positive guarantee and promise.
Akamai: Kona Site Defender and Web Application Protector
From the 1998 MIT Entrepreneurship Competition to today, Akamai Technologies is now a top provider of WAF solutions. With two options to choose from, the Web Application Protector (WAP) offers DDoS protection, bot management, and is pre-configured to detect the latest threats. The Kona Site Defender (KSD) goes much further in offering enterprise-level anomaly detection, threat intelligence, and control automation. Leaving its CDN technology and advanced security features, Akamai is also one of the leading top zero trust solutions.
Next to Imperva, the Gartner 2020 Magic Quadrant puts Akamai as the only other WAF market leader. Both the Akamai WAP and KSD hold an average of 4.7/5 star rating of 191 user reviews on Gartner Peer Insights. The 2020 Q1 Forrester Wave also positioned Akamai as a WAF market leader, noting KSD’s investment in developing advanced API security features.
AWS WAF
For clients seeking an Amazon Web Service (AWS) cloud-native solution, look no further. Amazon has long dominated the cloud ecosystem, and fifteen years after its release, AWS continues to expand its solutions. With a quality pre-configured set of rules managed by AWS, networks are safe from the most common web application and API attacks. Features like AWS WAF Bot Control offer visibility and control into suspicious and actionable traffic.
AWS WAF is featured in the Gartner 2020 Magic Quadrant as a niche player and currently holds an average 4.7/5 star rating with 187 reviews on Gartner Peer Insights. The 2020 Q1 Forrester Wave placed AWS in the WAF market contenders and emphasized the array of supplemental AWS services at a client’s disposal.
Also Read: Cloud Bucket Vulnerability Management in 2021
Barracuda WAF
Founded in 2003, Barracuda Networks is a Campbell, California-based vendor of network appliances and cloud services. The Barracuda Networks WAF product line is deployable via hardware appliance, virtually, or through their cloud-based Barracuda CloudGen Firewall for AWS, Azure, and GCP. Clients report Barracuda WAF is easy to use, offers quality customer support, and is a deal, with free access to Barracuda’s vulnerability remediation service.
Barracuda WAF earned challenger status in the Gartner 2020 Magic Quadrant for WAF and currently holds an average of 4.6/5 star rating over 73 reviews on Gartner Peer Insights. For the 2020 Q1 Forrester Wave, Barracuda Networks is considered a strong performer in the WAF market, and users note good value for the price.
Read our in-depth review of Barracuda WAF
Check Point CloudGuard AppSec
Israeli cybersecurity vendor Check Point Software Technologies made waves in 1993 when it launched the first stateful inspection security module, FireWall-1. Almost thirty years later, Check Point continues to innovate, expanding its solutions to cover the network, cloud, and user access spaces.
Their cloud-based WAF solution is CloudGuard for Application Security, which promises to eliminate false positives, lower TCO, and auto-deploy on any environment. Using contextual AI, CloudGuard AppSec removes human error and proactively tunes rules to prevent threats. User reviews for CloudGuard AppSec on Gartner Peer Insights applaud its agility and flexibility while others point to delayed deployments, in part due to weak support.
Cloudflare WAF
Cloudflare is a web infrastructure and cybersecurity company founded in 2009 and located in San Francisco, California. Specializing in content delivery network (CDN) services from protecting organizations at the network edge to mitigating DDoS attacks, the Cloudflare WAF protects almost 25 million websites. With a network of that size, Cloudflare offers the latest threat intelligence at scale.
Cloudflare was named a challenger in the Gartner 2020 Magic Quadrant for WAF and currently holds an average of 4.7/5 star rating over 208 user reviews on Gartner Peer Insights. The 2020 Q1 Forrester Wave also put Cloudflare at market challenger status and applauded the vendor’s ease of use and integrability with other Cloudflare solutions.
F5 Advanced WAF
Seattle-based F5 traces its roots to the mid-1990s with the release of the BIG-IP load balancer. As the company added appliances, software, and solutions-oriented application layer security, the development of the F5 Advanced WAF became inevitable. From behavioral analytics and machine learning to in-browser data encryption and an anti-bot mobile SDK, F5 offers industry-leading features. F5 is consistently a top alternative for users adopting other WAF solutions.
The F5 Advanced WAF was named a market challenger in the Gartner 2020 Magic Quadrant for WAF, while Gartner Peer Insights user reviews XXX. For the 2020 Q1 Forrester Wave, F5’s Advanced WAF was a strong contender and received high marks for attack detection and response.
Read our in-depth review of F5 Advanced WAF
Fortinet FortiWeb
A staple in the cybersecurity industry since 2000, Fortinet is known for its line of firewalls, including the FortiWeb web application firewall. The Sunnyvale, California vendor offers a WAF solution built to adapt to the evolving attack surface of applications. Employing two layers of machine learning, FortiWeb is an advanced solution for web application and API security and bot mitigation.
Fortinet remains a top market challenger, earning another placement on the Gartner 2020 Magic Quadrant for WAF. On Gartner Peer Insights, FortiWeb’s popularity shows with the most user reviews at 212. Clients noted FortiWeb’s strengths as known threat protection and advanced security features, while a recent review noted the interface could be more all-encompassing for visualizing controls.
Read our in-depth review of Fortinet FortiWeb
Imperva: WAF Gateway and Cloud WAF
In 2003, the California upstart WEBcohort was an early provider of web application firewall technology. Some years later, and a name change, Imperva is at the top of the WAF industry. Imperva WAF allows clients to deploy the solution on-premises (WAF Gateway) and in AWS and Azure or cloud services (Cloud WAF). Imperva claims security at the speed of DevOps, blocking over 600 million attacks per day and 99.999% uptime SLA.
Imperva is a 7-time leader in the Gartner 2020 Magic Quadrant for WAF and holds over 100 user reviews on Gartner Peer Insights. Users praised Imperva for its DDoS protection capabilities as well as rule-based controls and signatures. Lower rated reviews noted there’s room for improvement in API security and deployment for multiple external-facing IP addresses. Imperva Cloud also received leader status in the 2020 Q1 Forrester Wave, emphasizing the cloud-based feature set for bot management, RASP, DDoS, and API security.
Read our in-depth review of Imperva WAF
Microsoft Azure WAF
The Redmond, Washington-based software giant unveiled its Azure cloud service in 2008. The Azure WAF offers Microsoft’s network of clients an easy-to-deploy solution integrated with the features of Azure Security Center. As a cloud-based WAF, Azure offers flexible, scalable pricing and a geographic expansion strategy that increases Microsoft’s DDoS mitigation bandwidth.
The Azure WAF holds an average rating of 4.5/5 stars with 82 user reviews on Gartner Peer Insights and is considered a niche player on the Gartner 2020 Magic Quadrant for WAF. For the 2020 Q1 Forrester Wave, Microsoft is considered a challenger in the WAF space.
Radware: AppWall and Cloud WAF
In our last update, we covered the Radware AppWall, and now we welcome to the stateful gathering its cloud-based counterpart, Radware Cloud WAF. The American-Israeli cybersecurity vendor continues to innovate in the WAF space, winning multiple awards over the last few years. Bot protection, ML-based API security, and out-of-path deployment are reasons Gartner named Radware a visionary in the WAF market in the Gartner 2020 Magic Quadrant for WAF.
AppWall and Cloud WAF received an average rating of 4.7/5 stars with 101 reviews on Gartner Peer Insights. For the 2020 Q1 Forrester Wave, Radware was named a strong performer, behind only Imperva and Akamai in the WAF market.
Read our in-depth review of Radware AppWall
Fastly-Signal Sciences NGWAF
New to our list, Signal Sciences was acquired by cloud enterprise Fastly in August 2020 for $775M. The San Francisco-based Fastly was started in 2011 and specializes in extending cloud infrastructures to the network edge. With Signal Sciences, they add the Next-Generation Web Application Firewall, which protects more than 40,000 applications per month and supports 100+ hybrid and multi-cloud platforms.
Featured as a market visionary in the Gartner 2020 Magic Quadrant for WAF, the Signal Sciences NGWAF tops our list on Gartner Peer Insights–with an average user review of 4.9/5 stars over 210 reviews.
SonicWall NSa NGFW
We round out our top twelve WAF vendors with a returning pick and a vendor with broad appeal among SMB and SME organizations. Since 1991, SonicWall has offered the newest network security solutions, and the Network Security appliance (NSa) remains an advanced option fit for mid-sized networks. In its latest iteration, the Gen 7 NSa NGFW is fit for the enterprise-level activity.
SonicWall promises industry-leading performance and reduced TOC, as well as comprehensive security features. More so an NGFW with WAF capabilities than the inverse, the NSa is convenient for existing SonicWall clients and offers quality application security controls akin to a standalone WAF solution.
Get an in-depth look at SonicWall NSa
Comparing Top WAF Vendors
Leaning on Gartner’s industry experience, all of our picks for top WAF vendors also received placement on the 2020 Gartner Magic Quadrant for Web Application Firewalls, except for Check Point and SonicWall. The 2020 Q1 Forrester Wave includes all top WAF selections except Check Point, Fastly-Signal Sciences, and SonicWall.
Both industry reports consider features like attack detection and response, management interface, zero-day vulnerabilities, reporting and analytics, and feedback loops. Additional differentiators for the WAF market include developing API and client-side security, integrated threat intelligence, and customer-centric process management.
Also Read: Top Breach and Attack Simulation (BAS) Vendors
eSecurityPlanet’s Methodology
We evaluated a wide range of WAF vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.
Your guide to web application firewalls (WAF)
Web application firewalls or WAFs are essential components to the security of organization networks and service-oriented architecture. Positioned on the backend near web servers and application databases, WAFs protect applications and APIs from web attacks like botnets, SQLi, and DDoS.
We look at what a web application firewall is, how it works and the features we have come to expect, and the additional details you need to make an informed buying decision.
Also Read: Database Security Best Practices
What is a WAF?
A web application firewall is a specialized firewall designed to filter and control HTTP traffic in internet traffic between web clients and application servers.
Traditional network firewalls operate at the network and transport layer with oversight of packet and data transfers. WAFs, by comparison, provide Layer 7 protection, typically sitting between a perimeter firewall and a web server or application server. Unlike its predecessor–the timeless port-connected network firewall–web application firewalls go further in offering security for applications served over the internet.
In short, WAFs close the security gap left by traditional firewalls when addressing application security.
Also Read: Application Security Vendor List for 2021
Common Web Application Attacks
Threat | Description |
Cross-site scripting(XSS) | The practice of inserting malicious code within legitimate websites for unknowing users to accidentally execute is known as cross-site scripting or XSS. The code attack launches an altered script in the web client’s browser, facilitating access for the attacker to impersonate the user. |
Buffer overflows | When data in transfer exceeds the storage capacity of a memory buffer, a buffer overflow can cause memory access errors or a crash. Attackers can exploit buffer vulnerabilities and overwrite applications’ memory resulting in a damaged database or breach of data. |
Distributed Denial of service (DDoS) | Applications serving client requests can only process so much. When overrun by requests from potentially thousands of machines, attackers can severely delay or prevent users from accessing application information. |
Session hijacking | When web clients access an application, HTTP acknowledges the browser’s access via a session cookie. Attackers can steal or phish users for their session ID and then use it to access the application. From there, the malicious actor can do anything the authorized user could do. For SSO users, session hijacking could mean access to multiple web applications. |
SQL injection (SQLi) | Application databases are central to serving web clients. Sadly, the C2C relational database language SQL is vulnerable to executing ungermane tasks. When attackers can manipulate the database language, it can breach PII, modify web content, and delete data. |
Like every other corner of cybersecurity, network administrators and malicious actors battle for technological advantage. Attacks like XSS and SQLi can be devastating to applications and can escalate privileges and move laterally through a network with the appropriate access point.
Also Read: Common IT Security Vulnerabilities – and How to Defend Against Them
WAF features
Common WAF features include:
- Monitoring, filtering, blocking, and challenging of data and access to applications
- Management dashboard for alerts and controls
- Advanced security techniques like virtual patch deployment, deception and misdirection, and honey potting
- Automated attack detection with identity and behavioral risk categorization
- Detection and attack prevention for zero-day vulnerabilities
- Threat intelligence on the most recent attacks on web applications
- Data analytics on application usage, including malicious or suspect activity
How to deploy a WAF
Web application firewalls are deployable as network appliances, cloud-based software, and host-based. While network appliances continue to be a default choice for enterprises, cloud-based WAF offerings are gaining steam.
Also Read: Top Next-Generation Firewall (NGFW) Vendors
Network Appliance WAF
Hardware-based appliances serving WAF are low-latency and live in the organization’s data center. Modules for this approach tend to be the most expensive but also offer the most customizability. In addition to requiring the appropriate space, equipment, and personnel to manage the physical equipment, maintenance costs can be a burden.
Cloud-Hosted WAF
WAF technology is now available as SaaS, offering affordability and turnkey installation. For SMBs who lack a robust IT infrastructure and enterprises solidifying their hybrid infrastructure,cloud-based WAFs are a natural fit. Like any cloud provider offering, clients inherently give up some control that a network appliance or host-based could offer in-house.
Also Read: Firewalls as a Service (FWaaS): The Future of Network Firewalls?
Host-Based WAF
Less utilized than the appliance or cloud-based WAFs, the third deployment approach embeds WAF capabilities into the application’s software. Administrators get the customizability of having a network appliance WAF while also paying less. As a component of the host application, it can be challenging to replicate implementation for other applications and can lead to added maintenance costs.
What is OWASP?
The Open Web Application Security Project (OWASP) is the predominant authority on web application security. Since 2001, the 501(c)(3) nonprofit has organized thousands of volunteers and published industry-respected guidance to inform the future of web security.
Also Read: How to Stop DDoS Attacks: 6 Tips for Fighting DDoS Attacks
OWASP Top Ten
At the mention of OWASP, most developers and infosec professionals think of theOWASP Top Ten–an industry-recognized list of the most critical risks to web applications. The list includes threats mentioned previously like XSS and SQLi and goes farther, including:
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
WAF: Compliance and Regulation
Web application firewalls work to protect an organization’s web applications as well as maintain data integrity. For these reasons, most organizations from SMB to enterprise consider solutions that ease logging and protecting critical data for compliance requirements.
Also Read: Top MDR Services
The article is an update by Sam Ingalls on May 7, 2021. The original was published by Drew Robb on January 25, 2019.