WAFs Are Failing To Protect Hyper-Connected Organizations. But Help Is On Its Way

May 14, 2019 | by Franklyn Jones


Over the last 10 years, we’ve seen the continuing growth and evolution of hyper-connected organizations.  These are the forward-leaning enterprises that have embraced the Internet to connect customers, partners, and suppliers, enabling them to adopt digitally-driven business models that can eliminate boundaries and accelerate growth.

One of the key enablers of hyper-connected organizations are the various web, mobile, and API-based applications that facilitate communications and transactions between every participant across the digital ecosystem.  Given the strategic importance of these applications, security teams are now giving top priority to protect these applications from both malicious bots and human-initiated attacks.

The most common tool in the arsenal of security teams has been the web application firewall (WAF).  Each year, hyper-connected organizations spend billions of dollars on WAFs, and back in a simpler time, the WAF worked quite well.  But attack targets have dramatically increased, and attack strategies have become very sophisticated, while WAFs themselves have seen very little innovation.  It reminds of the early years at Palo Alto Networks, when we essentially re-invented the network firewall for the same reason – a total lack of innovation in legacy firewalls.

At Cequence Security, we believe the same disruption and innovation is necessary in the WAF market.  This belief has been validated by a newly-completed WAF research project conducted with Ponemon Institute. We compiled detailed insights from 595 organizations across the US and discovered that overall WAF satisfaction was only 40%.  That’s actually pretty horrible.

Several underlying data points reveal the cause of their dissatisfaction (with my commentary added):

  • 65% of these companies have experienced application-layer attacks that bypassed their WAF in the last 12 months (Hmm, so it’s failing miserably in its primary security role.)
  • 47% of organizations don’t even expect their WAF to stop all attacks on their applications (Wait, what? Then why even have a WAF?)
  • Despite their frustrations, they spend an average $620K annually of WAF products and staffing support (OK, let me do the math: $620K gets you 40% satisfaction. Ouch!)
  • Their staff spends an average of 61 hours each week responding to alerts and writing new WAF rules. (Somehow, that doesn’t seem like a fulfilling career. No wonder we have 2M+ IT job openings.)

Bottom line – WAFs waste time and money and barely do their job well.  Hey, don’t shoot me, I’m just the messenger. But seriously, if you’re a WAF user, you need to download the entire report and hear directly from your peers.

OK, now let me close by shedding some light on the curious second sentence of this blog headline: but help is on its way.  As you know, Cequence Security has developed an award-winning application security platform, powered by a patented AI-based analytics engine. Customers love it because it actually protects their applications and their business.  On June 3, 2019, we’ll be announcing another innovative new security module that takes advantage of the power of our platform.  That’s all I’ll say for now, but if you’re a follower of Cequence Security, you’ll automatically get the full story on June 3.

Until then…

Franklyn Jones is CMO of Cequence Security.


Franklyn Jones


Franklyn Jones

Additional Resources