If you haven’t thought about web application firewalls (WAFs) in a while, you might think they were an anachronism, a tool of the past that modern application environments don’t bother with. You’d be wrong. While traditional WAF appliances are still popular in data centers and with legacy applications, the WAF market has evolved with the applications it protects and now offers a range of deployment models and form factors to support organizations’ hybrid and multicloud reality. Last year, as Log4Shell sent organizations scrambling, WAF vendors responded by pushing out new rules to block attacks, giving application owners time to identify and upgrade vulnerable Log4j versions.

With the release of the Forrester Now Tech: Web Application Firewalls, Q2 2022, let’s take a quick look at the range of vendors offering web application firewalls:

  • CDN-adjacent WAFs: Content delivery networks (CDNs) optimize delivery of web pages and other web content based on the geographic location of users. Many CDNs also offer security controls such as WAFs, which customers can deploy before a web server or — even better — at the edge of the CDN, closer to the origin of malicious traffic, giving even better performance to web content.
  • Cloud-provider-adjacent WAFs: As cloud adoption matured and applications migrated to the cloud, cloud providers offered WAFs as an add-on service. While a couple of these vendors only support applications deployed on their public cloud platform, most extend to supporting applications on-premises and in other clouds.
  • Cloud security platforms: These providers extend their security suites — which typically include cloud security posture management (CSPM), cloud workload protection, and container security — to add features like WAF. Because they’re not tied to a specific cloud provider, these solutions can easily support hybrid cloud and multicloud deployments.
  • Network-performance-adjacent WAFs: These vendors originally started as appliances and performed load balancing duties in addition to protecting applications. As applications evolved, network-performance-adjacent WAFs became virtual appliances that customers can place anywhere, including the cloud. Many of these vendors have now extended into cloud WAFs and containerized WAFs.
  • WAF specialists: These vendors focus on web asset protection and include WAFs as part of their portfolio of products; bot management and API security are common companion offerings. These vendors are also adding new form factors like containerized WAFs.

For more on the strengths and weaknesses of the different functional segments and to learn more about the many players in the WAF space, check out the Forrester Now Tech: Web Application Firewalls, Q2 2022, or reach out to set up an inquiry.