Firewalls Put Drag on Organizations: Report

Ineffective protection, time-consuming management, and high ownership costs factor into dissatisfaction among many organizations, including financial services, about web application firewalls as their front-line security strategy for apps and interfaces.

The report, “The State of Web Application Firewalls,” from Sunnyvale, Calif.-based Cequence Security, which delivers automated software solutions to protect the web, mobile, and API services, and Ponemon Institute showed only 40% of organizations are satisfied with their WAF.

“The research clearly reveals WAF dissatisfaction in three areas,” Dr. Larry Ponemon, chair and founder of Ponemon Institute, said. “First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they are experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.”

Franklyn Jones, CMO of Cequence Security, also said. “Intelligent automation and consolidation of application security functions are definitely two critical requirements we’re seeing regularly with our hyper-connected customers. They rely on web, mobile, and API-based applications to link customers, partners, and suppliers across their digital ecosystem. And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.”

Among the report’s findings:

• Mobile vs API protection. Organizations are more effective at protecting mobile apps than APIs: 54% of respondents said they are very effective in protecting mobile apps, while only 38% of respondents said their effectiveness in protecting API services is very high.
• Detection versus protection. Most organizations use WAFs for attack detection: only 22% of WAFs deployed in the organizations represented in the study both detect and block attacks.
• Security. While 66% of respondent organizations consider the WAF a critically important security tool, 43% use their WAFs only to generate alerts (not to block attacks). Eighty-six percent experienced application-layer attacks that bypassed their WAF in the last 12 months.
• Administration. Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
• Cost. The capital expenditure and operating expense costs associated with WAF purchase and ongoing management are significant. In total, organizations spend an average of $620,000 annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.
• Improvements. Seventy-two percent of respondents would like to see more intelligence and automation integrated into their WAF, and 74% would like to see WAF functions integrated with other application security functions into an artificial intelligence-powered software platform.

The report, completed in April 2019, included findings from 595 respondents in 16 vertical markets. The majority have offices globally; 100% of respondents are responsible for WAF deployments in their organization. They have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. Financial services (18% of respondents), which included banking, investment management, insurance, brokerage, payments and credit cards, was the largest industry focus.