Magic Quadrant for Web Application Firewalls June 2014

8/10/2019 Magic Quadrant for Web Application Firewalls June 2014

1/13

Magic Quadrant for Web Application Firewalls

17 June 2014ID:G00259365

Analyst(s): Jeremy D'Hoinne, Adam Hils, Greg Young, Josep !eiman

VIEW SUMMARY

"e #A! mar$e% is gro&ing ui($ly )rom a small *ase+ i% is (omposed o) pure players, appli(a%ion

deliery (on%roller endors, (loud seri(e proiders and ne%&or$ se(uri%y endors- .uyers sould

ealua%e o& #A!s (an proide ig se(uri%y, minimi/e )alse posi%ies and sus%ain per)orman(e-

Market Definition/Description

"e #e* appli(a%ion )ire&all #A!1 mar$e% is de)ined *y a (us%omer's need %o pro%e(% in%ernal and

pu*li( #e* appli(a%ions &en %ey are deployed lo(ally onpremises1 or remo%ely os%ed, (loud or

as a seri(e1- #A!s are deployed in )ron% o) #e* serers %o pro%e(% #e* appli(a%ions agains% a($ers'

a%%a($s, %o moni%or a((ess %o #e* appli(a%ions, and %o (olle(% a((ess logs )or (omplian(e4audi%ing and

analy%i(s- #A!s are mos% o)%en deployed inline, as a reerse proy, *e(ause is%ori(ally i% &as %e only

&ay %o per)orm some indep% inspe(%ions- %er deploymen% modes eis%, su( as %ransparen% proy,

*ridge mode, or %e #A! *eing posi%ioned ou% o) *and .1 and, %ere)ore, &or$ing on a (opy o) %e

ne%&or$ %ra))i(-

"e primary #A! *ene)i% is proiding pro%e(%ion )or (us%om #e* appli(a%ions %a% &ould o%er&ise go

unpro%e(%ed *y o%er %e(nologies %a% guard only agains% $no&n eploi%s and preen% ulnera*ili%ies in

o))%esel) #e* appli(a%ion so)%&are see #e* Appli(a%ion !ire&alls Are #or% %e Ines%men% )or

7n%erprises1-

#A!s also in%egra%e &i% o%er ne%&or$ se(uri%y %e(nology, su( as ulnera*ili%y s(anners, dis%ri*u%ed

denial o) seri(e DDo81 pro%e(%ion applian(es, #e* )raud de%e(%ion and da%a*ase se(uri%y solu%ions- In

addi%ion, #A!s some%imes in(lude per)orman(e a((elera%ion, in(luding (on%en% (a(ing, and mig% *e

pa($aged &i% #e* a((ess managemen% #A1 modules %o in(lude au%en%i(a%ion )ea%ures no%a*ly

%o proide single signon 881 )or lega(y or dis%ri*u%ed #e* appli(a%ions-

Gar%ner es%ima%es %a% %e #A! mar$e% gre& in 20;3 a% a ra%e o) approima%ely 30< )rom =259 million

%o =33> million, and mos% o) %e gro&% &as drien *y a and)ul o) endors- Demand in ?or% Ameri(a

as *een s%rong, &i% @5< o) %e %o%al mar$e%- 77A a((oun%s )or 29< o) %e mar$e%, &ile

Asia4a(i)i( a((oun%s )or 26


2/13

Source: Gartner (June 2014)

Return to Top

Vendor Strengths and Cautions

AdNovum

8&i%/erland*ased Ad?oumis a longes%a*lised proider o) appli(a%ion deelopmen%, I" and se(uri%y

seri(es- I% re(en%ly s%ar%ed i%s epansion *eyond %is ome mar$e%, and ad i%s )irs% su((esses in

8ingapore- Ad?oum's produ(% o))ering, under %e (oer name ?eis 8e(uri%y and Complian(e 8ui%e,

in(ludes #A! neisroy1, au%en%i(a%ion, iden%i%y managemen% and do(umen% signing, and &as )irs%

sipped in ;99>- "e neisroy #A! is deliered as a so)%&are applian(e and does no% ye% ae %irdpar%y ealua%ions, *u% proides some )ea%ures *eyond signa%ures &i% suppor% )or a posi%ie se(uri%y

model, E en(ryp%ion and pro%e(%ion agains% (rosssi%e reues% )orgery C8E!1-

8&iss en%erprise *uyers in need o) a (om*ined #A and #A! solu%ion %o pro%e(% (us%om appli(a%ion

sould (onsider Ad?oum in %eir (ompe%i%ie sor%lis%s-

!trengt*s

Ad?oum as proen eperien(e &i% large )inan(ial ins%i%u%ions in 8&i%/erland, and is a*le %o

ui($ly deelop %o spe(i)i( (us%omer reuiremen%s-

?eis 8ui%e in(ludes ro*us% au%en%i(a%ion and 88 )ea%ures- I%s (en%rali/ed managemen%

neisAdmin1 suppor%s a large num*er o) #A! ins%an(es, and is mul%i%enan(y(apa*le-

Ad?oum proides )ree li(ensing )or %es% serers and unlimi%ed )la%ra%e agreemen%s )or ery large

deals-

+autions

Ad?oum's #A! is one (omponen% o) a so)%&are sui%e %a% seres primarily #A purposes+

(onseuen%ly, %e ED ines%men% in pure #A! deelopmen% is more limi%ed-

Ad?oum does no% appear on Gar%ner (us%omer sor%lis%s )or #A! ou%side o) 8&i%/erland-

Ad?oum la($s ard&are applian(e o))erings %a% many o) i%s (ompe%i%ors proide-

ro%e(%ions agains% 8B ine(%ion and (rosssi%e s(rip%ing K881 are )o(used primarily on

od8e(uri%y opensour(e signa%ures, &i% no (omplemen%ary in%ernal or %irdpar%y %rea%

resear(-

neisroy does no% o))er ir%ual pa%(ing *ased on %e resul%s o) a ulnera*ili%y s(anner, or

dedi(a%ed se(uri%y and (omplian(e repor%s-

Return to Top

Akamai

A$amaiALA1 is *ased in Cam*ridge, assa(use%%s, and proides a leading (on%en% deliery ne%&or$

CD?1- I%s ne%&or$ and se(uri%y (loud seri(es, in(luding i%s #A! Lona 8i%e De)ender1, are *uil% on %op

o) %e A$amai In%elligen% la%)orm, i%s glo*al (loud in)ras%ru(%ure- "e Lona #A! as *een aaila*le

sin(e 2009, and re(eied signi)i(an% improemen% in 20;3- "e Lona #A! managemen% and moni%oring

(onsoles una Con%rol Cen%er and 8e(uri%y oni%or1 are also deliered as #e* por%als-

A$amai's #A! is deliered as a seri(e &i% a mon%ly )ee, *ased on per)orman(e reuiremen%s )or up

%o ;0 si%es- Addi%ional su*s(rip%ions are aaila*le %o limi% %e e%ra (os%s in (ase o) olume%ri( DDo8

a%%a($ DDo8 !ee ro%e(%ion1, %o ge% assis%an(e &i% #e* se(uri%y rule upda%es and %uning Eule pda%e

8eri(e1, or %o redu(e %e s(ope o) CI (omplian(e assessmen% &i% %o$eni/a%ion o) (lien% (redi%

(reden%ials 7dge "o$eni/a%ion1-

o) %e produ(%s, and es%a*lis a posi%ie iden%i)i(a%ion

&i% %e produ(%4*rand and organi/a%ion in %e minds

o) *uyers- "is mind sare (an *e drien *y a

(om*ina%ion o) pu*li(i%y, promo%ional ini%ia%ies,

%oug% leadersip, &ord o) mou% and sales a(%ii%ies-

+usto,er &'perience: Eela%ionsips, produ(%s and

seri(es4programs %a% ena*le (lien%s %o *e su((ess)ul

&i% %e produ(%s ealua%ed- 8pe(i)i(ally, %is in(ludes

%e &ays (us%omers re(eie %e(ni(al suppor% or

a((oun% suppor%- "is (an also in(lude an(illary %ools,

(us%omer suppor% programs and %e uali%y %ereo)1,

aaila*ili%y o) user groups, seri(eleel agreemen%s

and so on-

#perations: "e a*ili%y o) %e organi/a%ion %o mee% i%s

goals and (ommi%men%s- !a(%ors in(lude %e uali%y o)

%e organi/a%ional s%ru(%ure, in(luding s$ills,

eperien(es, programs, sys%ems and o%er ei(les

%a% ena*le %e organi/a%ion %o opera%e e))e(%iely and

e))i(ien%ly on an ongoing *asis-

Completeness of Vision

aret -nderstanding: A*ili%y o) %e endor %o

unders%and *uyers' &an%s and needs and %o %ransla%e

%ose in%o produ(%s and seri(es- Fendors %a% so&

%e iges% degree o) ision lis%en %o and unders%and

*uyers' &an%s and needs, and (an sape or enan(e

%ose &i% %eir added ision-

areting !trategy: A (lear, di))eren%ia%ed se% o)

messages (onsis%en%ly (ommuni(a%ed %rougou% %e

organi/a%ion and e%ernali/ed %roug %e &e*si%e,

ader%ising, (us%omer programs and posi%ioning

s%a%emen%s-

!ales !trategy: "e s%ra%egy )or selling produ(%s %a%

uses %e appropria%e ne%&or$ o) dire(% and indire(%

sales, mar$e%ing, seri(e, and (ommuni(a%ion a))ilia%es%a% e%end %e s(ope and dep% o) mar$e% rea(,

s$ills, eper%ise, %e(nologies, seri(es and %e

(us%omer *ase-

#ering (Product) !trategy: "e endor's approa(

%o produ(% deelopmen% and deliery %a% empasi/es

di))eren%ia%ion, )un(%ionali%y, me%odology and )ea%ure

se%s as %ey map %o (urren% and )u%ure reuiremen%s-

/usiness odel: "e soundness and logi( o) %e

endor's underlying *usiness proposi%ion-

$erticalndustry !trategy: "e endor's s%ra%egy

%o dire(% resour(es, s$ills and o))erings %o mee% %e

spe(i)i( needs o) indiidual mar$e% segmen%s, in(luding

er%i(al mar$e%s-

nno"ation: Dire(%, rela%ed, (omplemen%ary and

synergis%i( layou%s o) resour(es, eper%ise or (api%al )or

ines%men%, (onsolida%ion, de)ensie or preemp%ie

purposes-

eograp*ic !trategy: "e endor's s%ra%egy %o dire(%

resour(es, s$ills and o))erings %o mee% %e spe(i)i(

needs o) geograpies ou%side %e ome or na%iegeograpy, ei%er dire(%ly or %roug par%ners,

(annels and su*sidiaries as appropria%e )or %a%

geograpy and mar$e%-

Page 2 sur 13Magic Quadrant for Web Application Firewalls

23/06/2014ttp!//www"gartner"co#/tecnolog$/reprints"do%id&1'1()Q*FW+ct&14061,+st&sg"""


3/13

In %e )irs% uar%er o) 20;@, A$amai (omple%ed %e a(uisi%ion o) DDo8 pro%e(%ion seri(e rolei(

"e(nologies- Gar%ner analys%s epe(% )u%ure in%egra%ion *e%&een Lona and %e rolei( o))ering-

"e Lona #A! is a good (oi(e )or eis%ing A$amai (us%omers as an e%ension %o deployed A$amai

solu%ions, and )or large pu*li( &e*si%es loo$ing )or simple #A! deploymen%-

!trengt*s

Gar%ner (lien%s (i%e %e (om*ina%ion o) DDo8 pro%e(%ion and #e* appli(a%ion se(uri%y as a

di))eren%ia%or &en (omparing A$amai &i% mos% (ompe%i%ors-

A$amai leerages i%s isi*ili%y in%o a su*s%an%ial sare o) In%erne% %ra))i( %o %une se(uri%y signa%ures

in order %o aoid )alse aler%s and improe de%e(%ion, &i% mul%iple s%eps )or anomaly de%e(%ion %a%

)eed a s(oring me(anism-

A$amai's su*s(rip%ion model ma$es i% easy )or en%erprises %o pur(ase and ena*le #e* appli(a%ion

se(uri%y- "is is espe(ially %rue )or eis%ing A$amai CD? (lien%s, and )or o&ners o) ery large

os%ed #e* appli(a%ions-

"e %ransparen(y and pro)essionalism demons%ra%ed in A$amai's rea(%ion %o %e re(en% Hear%*leed

ulnera*ili%y inspires %rus% in i%s a*ili%y %o andle se(uri%yrela%ed (allenges-

+autions

A$amai's #A! is aaila*le as a (loud seri(e only- A$amai does no% proide an onpremises

applian(e op%ion %a% many o) i%s (ompe%i%ors o))er %o pro%e(% in%ernal appli(a%ions, or %o main%ain

8e(ure 8o($e%s ayer 881 se(re%s on %e (lien%'s (orpora%e ne%&or$-

A$amai la($s lo&erpri(e #A! su*s(rip%ions %o rea( smaller en%erprises and midsi/e

organi/a%ions-

Lona 8i%e De)ender se(uri%y s%ill relies primarily on signa%ures and repu%a%ion s(oring- I% lags

*eind (ompe%i%ors in o%er (apa*ili%ies, su( as an au%oma%i( learning engine and %e degree o)

(us%om (on)igura%ion o) #e* appli(a%ion *eaior-

A$amai is gro&ing %e (us%omer *ase )or i%s #A! o))ering mainly )rom eis%ing (lien%s o) o%er

(loud seri(es in %e -8-, *u% Gar%ner does no% see %e endor &inning deals on #e* appli(a%ion

se(uri%y needs-

Return to Top

Barracuda Networks

.arra(uda ?e%&or$sCDA1, &i( is *ased in Camp*ell, Cali)ornia, proides a &ide arie%y o)

in)orma%ion se(uri%y and s%orage produ(%s %a% are largely %arge%ed a% small or midsi/e *usinesses

8.s1- .arra(uda o))ers i%s #e* Appli(a%ion !ire&all line in a arie%y o) )orm )a(%ors, in(luding as a

pysi(al or ir%ual applian(e, and also as a (loud*ased seri(e %a% (an *e deployed on %e i(roso)%

A/ure and Ama/on #e* 8eri(es A#81 (loud pla%)orms-

8. *uyers and resour(es%rapped se(uri%y %eams %a% reuire a lo&(os% solu%ion and a%%en%ie endor

suppor% sould (onsider %is produ(%-

!trengt*s

.arra(uda's #A! proides s%rong I repu%a%ion, (oo$ie pro%e(%ion and (lien% )ingerprin%ing

(apa*ili%ies- I% also (om*ines em*edded au%en%i(a%ion )ea%ures and in%egra%ion &i% seeral %irdpar%y au%en%i(a%ion solu%ions-

.arra(uda as a *road range o) ard&are applian(es %o suppor% a &ide arie%y o) s(ala*ili%y and

per)orman(e reuiremen%s, espe(ially )or 8.s+ i% is also one o) %e only endors %o o))er a #A!

on %e i(roso)% A/ure pla%)orm-

.arra(uda (us%omers ra%e i%s geograpi(ally dis%ri*u%ed suppor% (apa*ili%ies ui%e igly-

.arra(uda o))ers a &ide range o) )oreign language suppor% in i%s managemen% in%er)a(e, in(luding

andarin, Can%onese and Lorean-

+autions

.arra(uda's #A! lags *eind i%s leading (ompe%i%ors in en%erpriseleel au%oma%ion- I% in%egra%es

&i% a lo& num*er o) es%a*lised ulnera*ili%y s(anners )or ir%ual pa%(ing, and %e s(anning

resul%s mus% *e impor%ed manually- Au%oma%i( learning (apa*ili%ies are disa*led *y de)aul%-

Cus%omers no%e %a% %e managemen% grapi(al user in%er)a(e GI1 loo$s a *i% da%ed, &i( (an

ma$e i% di))i(ul% %o use in some si%ua%ions-

.arra(uda eaily relies on a rela%iely small se% o) generi( signa%ures %o pro%e(% agains% K88 and

8B ine(%ion-

Return to Top

BeeWare

!ran(e*ased .ee#areas *een mar$e%ing i%s %e(nologies sin(e 2003- I%s produ(%s, &i( in(lude

#A!, #e* seri(es )ire&all and #A, ae *een in%egra%ed in%o i%s i8ui%e pla%)orm, &i( (an *e

deployed as a pysi(al or ir%ual applian(e- "e i8ui%e solu%ion also o))ers ADC )ea%ures, su( as load

*alan(ing, (on%en% (a(ing, (ompression and %ra))i( re&ri%ing- .ee#are is one o) %e smaller endors in

%e #A! spa(e, and predominan%ly sells i%s #A! %o %e !ren( mar$e%- In ay 20;@, i% &as a(uired *y

DenyAll-

idsi/e and large !ren( en%erprises in )inan(ial, goernmen% and manu)a(%uring se(%ors %a% ae #A!

and au%en%i(a%ion needs sould (onsider .ee#are on %eir sor%lis%s, *u% also %a$e in%o a((oun% %e

a(uisi%ion *y DenyAll-

!trengt*s

.ee#are o))ers an i8ui%e ersion )or %e pro%e(%ion o) appli(a%ions os%ed on A#8, i(roso)%

A/ure and o%er (louds al%oug deploymen% o) %is #A! (loud ersion is ery lo&1-

I%s i8ui%e as s%rong pro%e(%ion )or #e* seri(es and 88 )ea%ures-

.ee#are's #A! )lo&*ased poli(y managemen% in%er)a(e may *e a%%ra(%ie %o (us%omers %a% li$e

an een%*ased grapi(al represen%a%ion o) a se(uri%y poli(y-

+autions




4/13

.ee#are's reenue and gro&% are lo& and lag *eind mos% players in %e #A! mar$e%-

I% as lo& isi*ili%y and does no% appear on Gar%ner (us%omer sor%lis%s ou%side !ran(e-

I%s %e(nology as limi%ed an%ieasion %e(niues- I% o))ers only generi( 8B ine(%ion 8Bi1 and

K88 pro%e(%ion (apa*ili%ies-

I%s non#e* Jaa (lien% GI, al%oug grapi(al and ri(, is no% inline &i% %e general %rend o)

#e**ased GIs-

I%s #A! as in%egra%ion &i% only one DA8" endor, Bualys, and &i% only %&o 8I7 endors,

8plun$ and E8A, "e 8e(uri%y Diision o) 7C-

Return to Top

Citrix

-8-*ased Ci%riC"K81 is a glo*al proider &i% a *road por%)olio o) ir%uali/a%ion, (loud in)ras%ru(%ure

and ADC solu%ions- Ci%ri as o))ered #A! )un(%ionali%y ?e%8(aler App!ire&all1 )or more %an a de(ade

as a so)%&are op%ion, or in(luded in %e remium *undle o) %e ?e%8(aler Appli(a%ion Deliery

Con%roller sui%e- "e Ci%ri ard&are applian(e produ(% line ?e%8(aler K1 (an also run a li(ense

res%ri(%ed ersion o) %e )ull ?e%8(aler so)%&are %o a(% as a s%andalone #A!- In addi%ion, Ci%ri proides

ir%ual applian(es ?e%8(aler FK1- "e ?e%8(aler 8DK pla%)orm allo&s seeral ins%an(es o) Ci%ri

solu%ions, in(luding ADC and ?e%8(aler App!ire&all so)%&are in a single ard&are applian(e- ?e%8(aler

(an also *e *undled in Ci%ri o*ile #or$spa(e o))erings-

Ci%ri ?e%8(aler App!ire&all is a good (oi(e )or large en%erprise (lien%s %a% are loo$ing )or an easy &ay

%o add #A! )un(%ionali%ies %o %eir eis%ing Ci%ri in)ras%ru(%ures-

!trengt*s

?e%8(aler App!ire&all in(ludes ma%ure )ea%ures )or #e* se(uri%y, and (an *e *undled &i% 88

F?s )or remo%e a((ess o) in%ernal appli(a%ions-

Ci%ri ?e%8(aler's a*ili%y %o s(ale appeals %o large organi/a%ions, espe(ially &en massie 88

o))loading is reuired-

Ci%ri as a (ompelling e(osys%em o) par%nersips &i% %irdpar%y solu%ions-

Ci%ri o))ers an e%ensie range o) ard&are K48DK1 and ir%ual FK1 applian(es-

+autions

i$e mos% ADC endors, Ci%ri primarily %arge%s en%erprise (lien%s &i% ADC solu%ions and does no%

)o(us i%s e))or%s on pureplay se(uri%y use (ases-

Despi%e good isi*ili%y is%ori(ally, Ci%ri re(en%ly as appeared less o)%en on (lien% sor%lis%s %an

i%s dire(% (ompe%i%ors ae-

Ci%ri ?e%8(aler's pysi(al applian(e pri(e %ag s%ar%s a% =;5,000 and la($s a pri(e(ompe%i%ie #A!

o))ering )or midsi/e organi/a%ions- Ci%ri's ir%ual applian(e and ?e%8(aler on A#8 mig% o))er less

epensie al%erna%ies-

Ci%ri does no% o))er or (olla*ora%e &i% (loud*ased DDo8 pro%e(%ion seri(es-

Gar%ner does no% see Ci%ri's #A! displa(ing %e (ompe%i%ion *ased on i%s se(uri%y (apa*ili%ies, *u%

ra%er sees i% as an a((ompanying sale )or ADC pla(emen%s-

Return to Top

DBAPPSecurity

D.A8e(uri%y,&i( is eaduar%ered in Hang/ou, Cina, is a endor o) #e* appli(a%ion and

da%a*ase se(uri%y solu%ions- I%s produ(% o))ering in(ludes a #A! DA8#A!1 %a% &as )irs% released in

200>- D.A8e(uri%y also proides a #e* appli(a%ion ulnera*ili%y s(anner DA8#e*8(an1 and

da%a*ase audi% pla%)orm DA8D.Audi%or1 %a% (an (olla*ora%e &i% i%s #A! produ(%-

D.A8e(uri%y is a good sor%lis% (andida%e in Cina )or 8.s and large en%erprises in )inan(ial and

goernmen% se(%ors-

!trengt*s

D.A8e(uri%y as a )irm *ase o) )ai%)ul (lien%s in Cina %a% praise %e *ene)i%s o) aing a

Cinese proider- "ose *ene)i%s in(lude good residen% suppor% and lo(al (er%i)i(a%ions-

DA8#A! in(ludes au%oma%i( poli(y learning and #e* appli(a%ion (a(ing, and i% (an opera%e in

%ransparen% proy or moni%oring mode-

) all %e endors ealua%ed in %is agi( Buadran%, D.A8e(uri%y o))ers %e lo&es% suppor% (os%

rela%ie %o %e #A! applian(e pri(e-

+autions

D.A8e(uri%y lags *eind seeral (ompe%i%ors' #A!s in areas su( as role*ased managemen%,

de%ailed a(%ii%y repor%s and au%en%i(a%ion )ea%ures-

D.A8e(uri%y as ery limi%ed mar$e% isi*ili%y and does no% appear on Gar%ner (us%omers' #A!

sor%lis%s ou%side o) Cina-

D.A8e(uri%y's re(en% s%ra%egi( )o(us moed %o&ard i%s se(uri%y s(anners, and %e DA8#A! is

no% promo%ed on %e in%erna%ional ersion o) %e endor's (orpora%e &e*si%e-

Return to Top

DenyAll

DenyAllis *ased in !ran(e and as mar$e%ed i%s #A! %e(nology r#e*1 sin(e 200;- a%er, i% added

sroy a plugin %o r#e* &i% prede)ined poli(ies )or email, 8areoin% and 8A1 and rK a #e*

seri(es )ire&all1- DenyAll's r#e* #A! produ(% &as deeloped %o se(ure H""s1, 8A and K %ra))i(,

and is (urren%ly aaila*le as a %ool %a% is predominan%ly ins%alled on en%erprise's premises- I%s

%e(nology (an *e deployed as so)%&are or applian(e pysi(al or ir%ual1- DenyAll is in %e pro(ess o)deeloping and %es%ing i%s #A! (loud o))ering, and r#e* is already aaila*le ia A#8 and i(roso)%

A/ure-

DenyAll mos%ly )o(uses on %e !ren( mar$e%, and %en on %e 7uropean mar$e%, &ere i% primarily

%arge%s midsi/e and large en%erprises in )inan(ial and goernmen% se(%ors- I% is a rela%iely small endor




5/13

in %e #A! mar$e%, *u% is a*le %o sus%ain a )o(us on %e(nology innoa%ion- In ay 20;@, DenyAll

announ(ed %e a(uisi%ion o) #A! endor .ee#are-

7uropean organi/a%ions %a% are loo$ing )or ig se(uri%y )irs% sould (onsider adding DenyAll %o %eir

sor%lis%s-

!trengt*s

DenyAll's %e(nology in(ludes seeral adan(ed pro%e(%ion %e(niues, in(luding Jaa8(rip% *e(%

?o%a%ion J8?1 %ra))i( analysis4pro%e(%ion, (ode lea$age de%e(%ion and a *ro&ser lig%&eig%

agen%-

I% also o))ers a (ompreensie lis% o) an%ieasion %e(niues and a s(oring lis% )ea%ure a &eig%ed

s(oring approa( in addi%ion %o signa%ures1 )or pro%e(%ion agains% a%%a($s, su( as 8Bi and K88-

"e #A! %e(nology (om*ines se(uri%y de%e(%ion4pro%e(%ion )ea%ures &i% (a(ing, load *alan(ing

and ig aaila*ili%y &i% a(%iepassie and a(%iea(%ie modes1 )ea%ures-

DenyAll ena*les (orrela%ion *e%&een i%s #A! and DA8" %o in(rease %e a((ura(y o) de%e(%ion and

pro%e(%ion-

"e DenyAll r#e* o))ering is aaila*le ia A#8 %o suppor% #e* pro%e(%ion )or A#8spe(i)i(

in)ras%ru(%ureasaseri(e (us%omer deploymen%s-

+autions

DenyAll mainly )o(uses on !ren( and 7 mar$e%s, &i( limi% i%s isi*ili%y and adop%ion in o%er

geograpies-

"e a(uisi%ion o) .ee#are &ill *e a *ig (allenge )or DenyAll in %e ne% ;2 mon%s- I% (ould

dier% DenyAll )rom ee(u%ing on i%s road map, *u% main%aining %&o produ(% lines )or %oo long

&ould anniila%e mu( o) %e *ene)i%s )rom %e in(reased ED si/e-

I%s reenue and gro&% are lo& (ompared &i% %e eaders, Callengers and een some ?i(e

layers in %is agi( Buadran%-

I% as (er%i)ied in%egra%ion &i% only one 8I7 endor, 8plun$, and does no% ae in%egra%ion &i%

repu%a%ion endors' %e(nologies-

DenyAll's #A! (orrela%ion pro(ess *e%&een #A! and DA8" mainly )o(uses on #A! in%egra%ion &i%

i%s o&n DA8", *u% no% DA8" )rom o%er appli(a%ion se(uri%y %es%ing endors-

Return to Top

Ergon Informatik

7rgon In)orma%i$, &i( is eaduar%ered in MNri(, as *een sipping i%s #A! %e(nology Airlo($1 )or

more %an ;5 years- 7rgon also deelops o%er so)%&are solu%ions, in(luding an au%en%i(a%ion pla%)orm

edusa1 and mo*ile paymen% solu%ions- "e Airlo($ #A! (an *e deployed as a reerse proy, is

aaila*le as a so)%&are and ir%ual applian(e, and (an run on Ama/on 7las%i( Compu%e Cloud 7C21- I%s

pri(ing is primarily *ased on %e num*er o) pro%e(%ed #e* appli(a%ions and addi%ional modules, su( as

88 F?s, K se(uri%y or grapi(al repor%s, &i( are aaila*le )or an addi%ional one%ime )ee- Airlo($

5, &i( &as released in January 20;@, in%rodu(ed a maor opera%ing sys%em (ange and %e )ull

in%egra%ion o) an iden%i%y and a((ess managemen% IA1 solu%ion- 7rgon &ill (on%inue %o suppor% %e

preious ersions o) Airlo($ )or ; mon%s-

7rgon's Airlo($ is a good (on%ender )or 7uropean organi/a%ions' #A! proe(%s, espe(ially large *an$ingand insuran(e en%erprises )rom %e DACH (oun%ries Germany, Aus%ria and 8&i%/erland1 and %e iddle

7as% region %a% ae a((ess managemen% needs-

!trengt*s

Airlo($ in(ludes e%ensie %e(niues )or #e* appli(a%ion parame%ers, &i% E en(ryp%ion,

arious (oo$ie pro%e(%ions in(luding a (oo$ie s%ore1 and )orm parame%er in%egri%y (e($s-

Airlo($'s in%egra%ion o) a )ull IA solu%ion adds (ompreensie au%en%i(a%ion and 88 )ea%ures-

7rgon ge%s good mar$s )rom users )or i%s se(uri%y eper%ise, %e e))i(ien(y o) i%s suppor%, and i%s

unders%anding o) %e needs and (ons%rain%s o) large )inan(ial ins%i%u%ions-

+autions

Airlo($ does no% o))er (en%rali/ed managemen%, au%oma%i( #e* appli(a%ion *eaior learning or

au%oma%ed se(uri%y signa%ure upda%es, and i% does no% in%egra%e &i% ulnera*ili%y s(anners )or

ir%ual pa%(ing-

Airlo($ la($s ard&are applian(e models- Ins%ead, 7rgon proides mul%iple &ays %o )a(ili%a%e %e

ins%alla%ion o) %e so)%&are applian(e-

!or 8I7 in%egra%ion, Airlo($ proides only a 8plun$ App, *u% 7rgon repor%s %a% i%s (us%omersae in%egra%ed &i% o%er 8I7 %e(nologies-

Airlo($ as ery lo& isi*ili%y in Gar%ner's (us%omer *ase-

Return to Top

F5

8ea%%leeaduar%ered !5!!IF1 is an appli(a%ion in)ras%ru(%ure endor %a% is )o(used on ADCs- "e

primary #A! o))ering is a so)%&are module )or %e !5 .igI ADC: %e Appli(a%ion 8e(uri%y anager

A81- %er !5 se(uri%y modules in(lude %e ne%&or$ )ire&all Adan(ed !ire&all anager A!1 and

%e #A A((ess oli(y anager A1 module- A8 is also aaila*le on %e ir%ual edi%ion o) .igI-

"e !5 ard&are .igI applian(e produ(% line (an also run a li(enseres%ri(%ed ye% upgrada*le1 ersion

o) %e )ull so)%&are %o a(% as a s%andalone se(uri%y solu%ion su( as a s%andalone #A!1-

!5 is a good sor%lis% (andida%e, espe(ially )or large organi/a%ions %a% o&n or are (onsidering ADC

%e(nology-

!trengt*s

As a leading ADC endor &i% a large ins%alled *ase o) (lien%s, !5 leerages %e s(ala*ili%y o) i%s

ADC .igI pla%)orms and %e s%reng% o) i%s ADC sales as %e en%ry poin% )or addon #A! li(enses-

!5's #A! is an easy upgrade )or eis%ing !5 (lien%s-

!5's (orpora%e %eams and (annels proide logis%i( (apa*ili%ies and suppor% %a% are larger and

ae more geograpi( (oerage %an many #A! endors-


23/06/201!ttp"//www#gartner#co$/tec!nolog%/reprints#do&id'1(1)*Q+FW,ct'1061-,st'sg###


6/13

ASM utilizes the same management software that is familiar to F5 administrators. iRules scripting

enables the creation of custom policies that complement the predefined rule sets.

F5 has been active in adding new WAF features, and messaging well on overall securit.

Cautions

!i"e other A#$%based WAFs, F5&s WAF buers must also select or have selected the accompaning

A#$ in reverse pro' mode. (his might place F5 at a potential disadvantage versus pure%pla

WAFs.

F5 does not have an as%a%service option, and its on%premises appliance line lac"s low%end

appliances. )ts ac*uisition of #efense.+et in Ma -/ could lead to future integration.

Some 0artner clients have commented that ASM support can be challenging until escalated.

Return to Top

Fortinet

1ased in $alifornia, Fortinet2F(+(3 is a significant networ" securit and networ" infrastructure vendor.

)t started as a unified threat management vendor in ---. )t later e'panded its portfolio to include

multiple securit offerings, including a WAF 2FortiWeb, released in --43, an A#$ 2FortiA#$3 and a

database protection platform 2Forti#13. (he vendor remains most well%"nown for its Forti0ate firewall

product line, and it "eeps adding new products, such as the recent sandbo'ing appliance FortiSandbo'.

FortiWeb provides multiple deploment options with a phsical or virtual appliance 2FortiWeb%M3, and

acts as a reverse6transparent pro' or not in%line. )t is also available on AWS. FortiWeb can be

purchased with individual software options that can be bundled together for better overall costs.

Subscriptions include )7 reputation, antivirus and securit signature updates.

Fortinet&s e'isting customers and midsize organizations should include Fortinet&s WAF in their

competitive assessments.

Strengths

FortiWeb includes an integrated vulnerabilit scanner, 881 deploments and predefined reports

that clients see"ing 7$) compliance score positivel.

FortiWeb has a good set of features, including recentl released automatic polic learning, coo"ie

signing, SS! acceleration, Web application caching and bot detection.

(he securit e'pertise offered through Fortinet&s Forti0uard threat labs and the competitive

price6performance points are often cited as differentiators b Fortinet&s clients.

0artner sees FortiWeb doing best in selections from midsize businesses.

Cautions

Fortinet does not offer WAF functionalities on top of its A#$ and does not provide WAF as a cloud

service.

#espite a considerable sales channel, Fortinet&s revenue in the WAF mar"et is low compared with

most other vendors. 9nterprises should carefull assess the e'perience of its partners, because

FortiWeb ma be a new or un"nown solution.

FortiWeb has limited integration with other Fortinet solutions, thereb limiting the benefits for

e'isting Fortinet customers to a common log reporting solution 2FortiReporter3.

0artner does not see the Fortinet WAF appearing on enterprise shortlists where securit is highl

weighted.

Return to Top

Imperva

$alifornia%head*uartered )mperva2)M73 is a data center securit vendor with a long WAF legac.

8ther )mperva products are focused on data and securit, including products for database audit and

protection as well as file activit monitoring. 9arl on, )mperva positioned itself primaril as a

transparent bridge deploment. (his aligned )mperva with enterprises, because deploments could

more easil be made behind A#$s without introducing a second pro', and :tr before ou bu: was

easier with the transparent et in%line mode. As most pure%pla competitors were ac*uired or

disappeared, )mperva continued to grow its share of the WAF mar"et. )ncapsula is the )mperva%owned,

off%premises or as%a%service WAF that is bundled with other services, including ##oS mitigation.

0artner sees a good attach rate level for )mperva&s WAF with its database securit offering. )mperva

has a good third%part ecosstem, which includes data loss prevention, anti%fraud, S)9M and

vulnerabilit scanners.

)mperva is a good shortlist contender for organizations of all sizes, especiall those with high securit

re*uirements or those loo"ing for an eas%to%deplo, cloud%based WAF.

Strengths

0artner sees )mperva consistentl scoring ver high and6or winning competitive assessments

done b 0artner clients when securit, reporting and protection are the most weighted criteria.

7ostsale, 0artner client commentaries usuall are also ver positive.

)mperva has continuall led the WAF mar"et in new features that forced competitors to react; it

also includes several advanced techni*ues for better efficienc of protection that its competitors

lac". (hus, it is a good shortlist contender when protection is foremost and having a different

vendor for WAFs and A#$s is an acceptable scenario.

)mperva has consistentl and effectivel messaged on and delivered WAF features in response to

changes in the data center and the application threat landscape.


7/13

As a premium enterprise product, )mperva SecureSphere is usuall too advanced for SM1s, or for

pro=ects where the WAF is being deploed onl as a :chec" the bo': measure to meet compliance

re*uirements.

Some 0artner clients e'press concerns about )mperva&s abilit to maintain its securit leadership

because of the challenges it faces as a public compan that is focused on a narrow mar"et, but is

still not profitable > versus larger data center infrastructure plaers.

Return to Top

NSFOCUS

+SF8$?Sis a networ" securit vendor head*uartered in 1ei=ing. )t started in --- as a provider of ananti%##oS solution 2A#S Series3, and then introduced new product lines for intrusion prevention 2+)7S

Series3 and a vulnerabilit scanner 2RSAS Series3. +SF8$?S&s WAF 2WAF Series3 offering was first

released in --@. )t is delivered as a phsical appliance and can perform in reverse or transparent

pro' mode. +SF8$?S also offers centralized management software 29nterprise Securit Manager3

along with managed services for WAF. )n anuar -/, it announced an initial public offering 2)783 to

accelerate its internationalization and launch new products.

+SF8$?S&s WAF is a good shortlist candidate SM1s and larger organizations in $hina. 1uers from

other regions should first verif local channel and support presence.

Strengths

+SF8$?S has a larger RB# and support team dedicated to WAF than man other +iche 7laers.

$lients selecting +SF8$?S WAF often report competitive price6performance as being a decisive

factor.

(he WAF can redirect incoming Web traffic to +SF8$?S&s anti%##oS cloud service when

congestion is detected, and then switch bac" to normal.

(he WAF has a good mi' of local and global product certification, including )$SA WAF certification.

Cautions

+SF8$?S&s WAF lags in some enterprise%class features, such as limited role%based management,

active%active clusters restricted to two appliances, and no SS! acceleration or hardware securit

module 2


8/13

Among other deploment scenarios, AppWall can be deploed in transparent bridge mode while

providing reverse pro' capabilities to specific traffic. $ombined with automatic polic learning,

this enables AppWall to be deploed easil, with no configuration changes to the networ".

Radware has announced software%defined networ"ing partnerships with )1M, $isco and +9$.

Radware&s WAF console includes strong service%provider%focused multitenanc capabilities, and

integrates authentication and SS8 modules.

Radware has e'ecuted well on its road map for the past two ears.

AppWall is attractive to budget%constrained midsize organizations.

Cautions

+o reporting is available without the additional Radware A7Solute ision Reporter, which adds cost

and comple'it for organizations using a S)9M solution, or for those unwilling to invest specificall

in a full fledged reporting solution.

AppWall lac"s integration with third%part dnamic vulnerabilit scanners and database monitoring

solutions.

Radware has been slow to integrate AppWall as a module with Radware Alteon A#$ 2it was added

in une -/3, thereb putting the vendor at a competitive disadvantage with full integrated

A#$6WAF competitors.

Radware&s mar"et share is still lower than its direct competitors.

Return to Top

Trustwave

1ased in $hicago, (rustwave2(WA3 provides managed services around its comprehensive portfolio of

networ" securit solutions. (he (rustwave WAF 2formerl Web#efend3 was first available in --G as a

phsical appliance 2( Series3, and then in -H as a virtual appliances 2 Series3 for Mware

hpervisors. (rustwave also provides managed services for its WAF offering. (rustwave&s WAF wor"s

with other solutions from the vendor, including the S)9M and vulnerabilit scanner. (rustwave alsosupports the open%source ModSecurit WAF, and provides a commercial signature pac"age that is

maintained b Spider!abs, its threat research team.

(rustwave is a good choice for organizations in +orth America that are see"ing 7$) compliance.

Strengths

(rustwave&s support of ModSecurit gives its threat research team access to feedbac" from a large

communit, which is useful for improving the *ualit of its WAF.

)n addition to in%line deploment methods, (rustwave&s WAF offers a well%crafted 881 deploment

mode, with multiple tpes of bloc"ing capabilities and the abilit to decrpt SS! connections using

a cop of the networ" traffic.

(rustwave recentl ac*uired two companies that could contribute to tight integration with

(rustwave&s WAF in the futureI Application Securit, which provides database monitoring, and

$enzic 2with its


9/13

(he WAF does not provide integration with vulnerabilit scanners or S)9M, with the e'ception of a

Splun" App.

?nited Securit 7roviders does not appear on 0artner competitive shortlists for WAF, and it has

one of the smallest RB# teams dedicated to WAF development.

Return to Top

Vendors Added and Dropped

We review and ad=ust our inclusion criteria for Magic Euadrants and Mar"etScopes as mar"ets change.

As a result of these ad=ustments, the mi' of vendors in an Magic Euadrant or Mar"etScope ma

change over time. A vendor&s appearance in a Magic Euadrant or Mar"etScope one ear and not thene't does not necessaril indicate that we have changed our opinion of that vendor. )t ma be a

reflection of a change in the mar"et and, therefore, changed evaluation criteria, or of a change of focus

b that vendor.

Return to Top

Added

(his is the first Magic Euadrant for the WAF mar"et.

Return to Top

Dropped

(his is the first Magic Euadrant for the WAF mar"et.

Return to Top

Inclusion and Exclusion CriteriaWAF vendors that meet 0artner&s mar"et definition6description are considered for this Magic Euadrant

under the following conditionsI

(heir offerings can protect applications running on different tpes of Web servers.

(heir WAF technolog is "nown to be approved b Eualified Securit Assessors as a solution for

7$) #ata Securit Standard 2#SS3 Re*uirement G.G 2which covers 8pen Web Application Securit

7ro=ect J8WAS7K (op - threats, in addition to others3.

(he provide phsical, virtual or software appliances, or cloud instances.

(heir WAFs were generall available as of anuar -H.

(heir WAFs demonstrate features6scale that is relevant to enterprise%class organizations.

(he have achieved LH million in revenue from the sale of WAF technolog.

0artner has determined that the are significant plaers in the mar"et due to mar"et presence or

technolog innovation.

WAF companies that were not included in this report ma have been e'cluded for one or more of the

following reasonsI

(he compan primaril has a networ" firewall or )7S with a non%enterprise%class WAF.

(he compan has minimal or negligible apparent mar"et share among 0artner clients, or is not

activel shipping products.

(he compan is not the original manufacturer of the firewall product. (his includes hardware

89Ms, resellers that repac"age products that would *ualif from their original manufacturers, and

carriers and )nternet service providers that provide managed services. We assess the breadth of

89M partners as part of the WAF evaluation and do not rate platform providers separatel.

(he compan has a host%based WAF or A7) securit gatewa 2these are considered distinct

mar"ets3.

)n addition to the vendors included in this report, 0artner trac"s other vendors that did not meet our

inclusion criteria because of a specific vertical mar"et focus and6or WAF revenue and6or competitive

visibilit levels, includingI A- +etwor"s, Alert !ogic, $loudFlare, 7ositive (echnologies, Euals,

Riverbed, Sangfor, Sucuri, enustech and erizon.

(he different mar"ets focusing on Web application securit continue to be highl innovative. (he

vendors included in this Magic Euadrant participate, as do others that are not included. (hese vendorsta"e part in Web application securit, but often focus on specific mar"et needs, or ta"e an alternative

approach to Web application securit. 9'amples include uniper +etwor"s 2with its WebApp Secure

product3, Foresight Securit and Shape Securit.

Return to Top

Evaluation Criteria

Ability to Execute

Product or Service:(his includes the core WAF technolog offered b the technolog provider

that competes in6serves the defined mar"et. (his also includes current product or service

capabilities, *ualit, feature sets and s"ills, whether offered nativel or through 89M

agreements6partnerships, as defined in the Mar"et #efinition6#escription section. Strong

e'ecution means that a vendor has demonstrated to 0artner that its products or services are

successfull and continuall deploed in enterprises. 9'ecution is not primaril about compan

size or mar"et share, although these factors can considerabl affect a compan&s abilit to

e'ecute. Some "e features are weighted heavil, such as the abilit to support comple'

deploments for on%premises or cloud%hosted public and internal applications with real%timetransaction demands.

Overall Viability:(his includes an assessment of the overall organization&s financial health, the

financial and practical success of the business unit, and the li"elihood that the individual business

unit will continue to invest in WAF, offer WAF products, and advance the state of the art within the

organization&s portfolio of products.


23/06/201!ttp"//www#gartner#co$/tec!nolog%/reprints#do&id'1(1)*Q+FW,ct'1061-,st'sg###


10/13

Sales Execution/Pricing:(his is the technolog provider&s capabilities in all presales activities

and the structure that supports them. )t includes deal management, pricing and negotiation,

presales support, and the overall effectiveness of the sales channel. )t also includes deal size, as

well as the use of the product or service in large enterprises with critical public Web applications,

such as ban"ing applications or e%commerce. !ow pricing will not guarantee high e'ecution or

client interest. 1uers want good results more than the want bargains.

Market Responsiveness/Record:(his is the abilit to respond, change direction, be fle'ible,

and achieve competitive success as opportunities develop, competitors act, and securit trends

and customer needs evolve. A vendor&s responsiveness to new or updated Web application

framewor"s and standards, as well as its abilit to adapt to mar"et dnamics, changes 2such as

the relative importance of 7$) compliance3. (his criterion also considers the provider&s histor of

releases, but weights its responsiveness during the most recent product life ccle higher.

Marketing Execution:(his is the clarit, *ualit, creativit, and efficac of programs that are

designed to deliver the organization&s message in order to influence the mar"et, promote the

brand and business, increase awareness of the products, and establish a positive identification

with the product6brand and organization in buers& minds. (his mind share can be driven b a

combination of publicit, promotional activities, thought leadership, word of mouth and sales

activities.

Customer Experience:(his is the relationships, products and services6programs that enable

clients to be successful with the products that are evaluated. Specificall, this includes the was

customers receive technical support or account support. (his can also include ancillar tools,

customer support programs 2and the *ualit thereof3, availabilit of user groups, service%level

agreements and so on.

Operations:(his is the organization&s abilit to meet its goals and commitments. Factors include

the *ualit of the organizational structure, including s"ills, e'periences, programs, sstems, and

other vehicles that enable the organization to operate effectivel and efficientl on an ongoing

basis.

Table 1.Abilit to 9'ecute 9valuation$riteria

Evaluation Criteria Weighting

7roduct or Service


11/13

either directly or through partners, channels and subsidiaries as appropriate for those

geographies and markets.

Table 2.Completeness of Vision

Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High

Marketing trategy Medium

ales trategy !o"

#ffering $%roduct& trategy High

'usiness Model Medium

Vertical()ndustry trategy *ot rated

)nnovation High

+eographic trategy Medium

Source: Gartner (June 2014)

Return to Top

Quadrant Descriptions

Leaders

he !eaders -uadrant contains vendors that have the ability to shape the market by introducingadditional capabilities in their offerings, by raising a"areness of the importance of those features and

by being the first to do so. hey also meet the enterprise re-uirements for the different use cases of

eb application security.

e e/pect !eaders to have strong market share and steady gro"th. 0ey capabilities for !eaders in the

12 market are to ensure higher security and smooth integration in the eb application environment.

hey also include advanced eb application behavior learning3 a superior ability to block common

threats $such as 4!i, 5 and C62&, protect custom eb applications and avoid evasion techni-ues3

and also strong deployment, management, real7time monitoring, and e/tensive reporting. )n addition to

providing technology that is a good match to current customer re-uirements, !eaders also sho"

evidence of superior vision and e/ecution for anticipated re-uirements.

Return to Top

Challengers

Challengers in this market are vendors that have achieved a sound customer base, but they are not

leading on security features. Many Challengers leverage e/isting clients from other markets to sell their

12 technology, rather than competing on products to "in deals. 1 Challenger may also be "ell7

positioned and have good market share in a specific segment of the 12 market, but does not address$and may not be interested in addressing& the entire market.

Return to Top

Visionaries

he Visionaries -uadrant is composed of vendors that have provided key innovative elements to ans"er

eb application security concerns. Ho"ever, they lack the capability to influence a large portion of the

market3 they haven8t e/panded their sales and support capabilities on a global basis3 or they lack the

funding to e/ecute "ith the same capabilities as vendors in the !eaders and Challengers -uadrants.

Visionaries -uadrant vendors also have a smaller presence in the 12 market, as measured by installed

base, revenue si9e or gro"th, or by smaller overall company si9e or long7term viability.

Return to Top

Niche Players

he *iche %layers -uadrant is composed primarily of smaller vendors that provide 12 technology that

is a good match for specific 12 use cases $such as %C) compliance&, or that have a limited geographic

reach. he 12 market includes several European and 1sian vendors that serve clients in their regions

"ell "ith local support and an ability to -uickly adapt their road maps to specific needs3 ho"ever, they

do not sell outside their home countries or regions. Many *iche %layers, even "hen making large

products, offer features that "ould suit only M' and smaller enterprises8 needs.

Vendors in this -uadrant may also have a small installed base or be limited, according to +artner8s

criteria, by a number of factors. hese factors may include limited investments or capabilities, or other

inhibitors to providing a broader set of capabilities to enterprises no" and during the :;7month

planning hori9on. )nclusion in this -uadrant does not reflect negatively on a vendor8s value in the more

narro"ly focused service spectrum.

Return to Top

Context

+artner generally recommends that client organi9ations consider products from vendors in every

-uadrant of this Magic 4uadrant, based on their specific functional and operational re-uirements. his is

especially true for the 12 market, "hich includes a large number of relatively small vendors, or larger

vendors but "ith a small share of their revenue coming from their 12 offerings. %roduct selection

decisions should be driven by organi9ation7specific re-uirements in areas such as deployment

constraints and scale, the relative importance of compliance, the characteristics and risk e/posures of

business7critical and custom eb applications, and also the vendor8s local support and market

understanding.




12/13

ecurity managers "ho are considering 12 deployments should first define their deployment

constraints, especially

Return to Top

Market Overview

=espite recent acceleration in adoption of the technology, many organi9ations have not yet deployed

12s. hat8s especially true outside the *orth 1merica region, "here a ma?ority of 12 sales target

ne" clients, even if this varies based on the vertical industry. !arge financial and e7commerce

organi9ations already have a high adoption rate. 12 technology is also strongly implemented in

government, especially in the 1sia(%acific region. #ther vertical industries and a large portion of the

European market often lack a"areness of their need for 12 technology, "hich leaves good potential

for future gro"th.

he 12 market includes different categories of vendors. )n ;@:A, dedicated 12 offerings from pure

players and net"ork security vendors dominated the market "ith more than B@ of the 12 revenue.

!arge 1=C vendors that "ere the first to add 12 capabilities have good market shares, leveraging

their e/isting client base. hey offer lo"er costs than dedicated technology, and emphasi9e easy

integration and high performance to "in 12 deals. Various C=* and anti7==o cloud providers no"

offer 12 subscriptions, gro"ing -uickly and from a small base.

#pen7source module Modecurity and the more recently released )ron'ee are also considered cost7

effective competition for commercial 12s.

Return to Top

Compliance Is Not the Primary Motivation for WAF Adoption, bt It !emainsPrevalent

)n ;@@D, the %C) ecurity tandards Council released the %C) = Version :.; "ith an updated

6e-uirement ., "hich allo"ed 12s as a viable alternative to eb application vulnerability

assessments, and marked the beginning of a second stage in the evolution of the 12 market.1he

%C) re-uirement "as the root cause of many ne" 12 pro?ects, thereby helping the 12 market to

e/pand beyond niche use cases, especially in financial and banking organi9ations. )t also convinced a

lot of ne" 1=C and net"ork security vendors to add 12s to their portfolios. oday, 12s often protect

more than public eb applications. 2or e/ample, they might also be deployed in front of a mi/ of

internal application and eb services. %C) and other compliance are still mentioned as the primary

reasons for 12 purchases in ;B to A@ of in-uiries "ith +artner clients, especially in midsi9e

organi9ations and smaller enterprises.

Return to Top

WAFs Will Contine to Inte"rate, Absorb and #e Inte"rated in Ad$acent%echnolo"ies

12s integrate "ith several other technologies, including vulnerability scanners, database monitoring,

eb fraud detection and ==o protection. +artner e/pects tighter integration or even inclusion for

some of these technologies. ome 12s already provide integrated vulnerability scanners in addition to

integration "ith third7party vendors. #ther 12s use code in?ection and fingerprinting to gain

kno"ledge about user behaviors that could lead them to include many of the features that currently fall

under the eb fraud detection category.

Conversely, other technologies $such as net"ork fire"alls, )%s, 1=Cs and cloud services for ==o

protection& integrate 12 modules in their offerings. hile the offer from net"ork fire"alls and )%s

doesn8t yet compare "ith 12s, 1=Cs and cloud services are serious competitors.

Historically, 12s have been leading in the protection against denial7of7service attacks, relying on

vulnerabilities in the net"ork and application stacks. )n enterprises, "ith the gro"ing presence of ne/t7

generation fire"alls that include protections against net"ork ==o, and "ith the availability of

dedicated appliances and services for ==o protection, the relevance of ==o features in 12s is

limited to ==o attacks at the application layer. Ho"ever, some net"ork security vendors that offer

==o protection and 12s highlight collaboration bet"een both technologies for better protection.

=edicated ==o protection, 12s and ne/t7generation fire"all technologies overlap for protocol

attacks, provide very limited synergies and are not fully efficient against volumetric attacks.

+artner believes that successful collaborations "ill happen bet"een 12s and cloud7based ==o

protection services, but that other partnerships "ill remain limited to niche use cases.

Return to Top

%he Ability to &cale Is the 'ey to WAF(s Market Ftre

+artner already sees ype 1 organi9ations $see *ote :& "ith mature risk evaluation methodologies

adopting 12s for their public and internal eb applications, even "hen there are no compliance

constraints.

*o", if 12 vendors "ant to sustain their gro"th in the future, they need to reach not only ype ' and

ype C enterprises, but also upper midsi9e organi9ations. he ability of 12 technologies to scale do"n

for these organi9ations and adapt their offerings to M' needs through ease of use, competitive pricing,

and good channel support is challenging. #rgani9ations that handle very large public eb applications

"ill also re-uire better automation during the staging as "ell as optimi9ed operational costs, "ith larger

appliances replacing comple/ cluster architectures. )n addition, security for mobile eb applications,




13/13

cloud hosting and cloud services implies ne" security measures and an alternative deployment setup

that could impact ho" the 12 market evolves in the future.

he 12 market is in early mainstream phase, on the eve of the most critical period in its recent

history3 ho"ever, the overall dynamic is good, fed by steady gro"th of the number and si9e of eb

applications, as "ell as by ne", une/plored areas, such as the security of management servers for

industrial control systems $)Cs& and mobile eb applications. +artner estimates that the compound

annual gro"th rate through ;@:F "ill be in the range of ;@, but "ith increasing discrepancies

bet"een vendors and the gro"ing importance of 12 delivered as an off7premises $hosted& virtual

appliance, or as a cloud service.

uccessful 12 vendors "ill manage to

Magic Quadrant for Web Application Firewalls June 2014

Documents

Transcript of Magic Quadrant for Web Application Firewalls June 2014