Gartner's 2015 Magic Quadrant estimates, global Web application firewall (WAF) market valuation of $ 420 million, an increase of 24%, WAF has become the most popular Web application of preventive and detection of security controls.

You must have
Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6 Version 3.1 is recommended, WAF can be deployed as a substitute for vulnerability scanning. The International Information Systems Audit and Control Association (ISACA) of development and operation practitioners considerations, including the WAF into the company to reduce expenses increased 10 housekeeper security controls flexibility needed to consider them.

Today, many medium-sized companies offer a variety of WAF solutions, usually packaged DDoS protection, content distribution network (CDN), Application Delivery Controller (ADC) and other related services provided together. Amazon Web Services (AWS) has recently launched its own WAF.

Gartner predicts that by 2020, more than 60 percent of public Web applications will WAF protection. However, in 2015, Gartner only one vendor Imperva As the industry leader, the two companies DenyAll and Positive Technologies as visionaries, included WAF Magic Quadrant diagram. All other manufacturers, either as a specific area by, or is the challenger. More WAF vendors did not meet inclusion criteria because, did not even show his face in the Magic Quadrant diagram.

The question is
Last year, security researcher Marcin Ahmed published a technical white paper, indicating cross-site scripting attacks almost all popular WAF vendors (XSS) protection can be circumvented. Before declaring its closed and open vulnerability reward program, XSSPosed almost all new XSS vulnerabilities announced every day in large sites (including Amazon), these are almost every witness mentioned Magic Quadrant WAF on how to be bypassed security researcher great resource. Application of Self-Protection (RASP) emerging runtime, also can be used to deal with a similar method of WAF circumvented.

Information security company High-Tech Bridge, recently released a study on the white label of the open source WAF ModSecurity called, showing the WAF can be used to repair such as improper access control or session fixation This complex vulnerability.

Unfortunately, many commercial vendors can not even provide half ModSecurity technical capacity and flexibility to implement virtual patch.

However, the High-Tech Bridge's study also pointed out that, ModSecurity Open Web Application Security (OWASP) Core Rule Set (CRS), in the default configuration can also be bypassed, and create custom rule sets can be very complicated and time consuming.

Five Reasons
Why Today's WAF protection is often not up to expectations, there are five main reasons:
1. Deploy negligence, lack of skills, as well as risk mitigation priority differences.
Many companies simply do not have enough technical personnel to perform routine maintenance and support WAF configuration. This is not surprising, but they ended the WAF detection mode (not blocking anything), or even view the log.
2. only for compliance before deployment.
SMEs are often due to meet the compliance requirements before installation WAF. They do not care about the actual security, and obviously does not care about WAF maintenance issues.
3. Web application development is too fast too many types.
Today, almost every company has an internal or custom Web applications written in different programming languages, frameworks and platform development. Situation CGI scripts in the 1990s with the use of third-party API and Web services AJAXWeb complex applications are not uncommon. In addition, Web developers to upgrade almost every day to update their applications to fit business needs. Obviously, such a dynamic and diverse environment, even the best WAF plus most capable engineers, it is difficult to protect comprehensive.
4. The business priorities pressure over network security.
WAF case mistakenly blocked legitimate site users is almost impossible to avoid. Typically, after the first case of a customer service due to inability to enjoy anger and switch to competitors' event management into sight, WAF will definitely be set to detect not only the mode of operation (at least until the next assessment of the quality system audit).
5. inability to Protect Advanced Web attacks.
From the design, WAF application logic can not protect against unknown vulnerabilities, or the need for application business logic with a thorough understanding of the vulnerability. Few innovators try to use a combination of IP reputation, machine learning and behavior detection whitelist incremental set of rules of protection of such vulnerability. These things need to go through a complex and lengthy learning period, but not so reliable.

Difficult to replace

Deploy and maintain a WAF in the enterprise remains a very complex safety control measures. But WAF Web applications may also be the only preventive security control, can significantly reduce the risk of Web exploits. A well-configured WAF, even in very dynamic and complex environment, but also protects against the most common live Web exploits (such as XSS and SQL injection). Also, if for some reason was unable to repair the vulnerabilities of Web application source code, or you can not apply vendor patches published, WAF virtual patch can also act as a straw.

Nevertheless, it can not respond to Web attacks WAF as a panacea, it should always be complemented by other security controls, such as vulnerability scanning, developer security training, and continuous monitoring.

In today's interconnected digital world, cyber attacks have become the new normal. No so-called magic bullet, but there is no cure silver bullet. Network security is a journey, starting at identifying key risks and important asset, and then between technology, processes and people manage to find the right combination.

Finally, although not enough to cope with the complexity of modern Web application security vulnerabilities, WAF is still the company's internal controls necessary security measures.