Web Application Firewalls (WAF) have been around for quite some time to protect web applications by inspecting HTTP traffic. Traditionally WAFs were used within organizations on-premises to protect both internal intranets and externally facing internet web applications. However, over time organizations have grown to depend on web applications for doing business with business partners and customers, making it business-critical to maintain and protect a web application.
Since the beginning, WAFs have protected a list of common web attacks, such as SQL injection and cross-site scripting, using pattern-matching techniques against the HTTP traffic. However, as the list of attack types continued to grow, the Open Web Application Security Project (OWASP) provided some insight into web applications' most critical security risks to give web developers guidance on minimizing these risks. WAFs also offer protection against connection-based Distributed Denial-of-Service (DDoS) attacks that try to overwhelm or disrupt regular traffic to web-based services.
More commonly known as Bots, software robots perform repetitive tasks and can imitate human user behaviour. Unfortunately, what started as a means to perform useful automated tasks quickly became a tool for malicious web attacks. For example, it is reported that over 30% of all online traffic is due to web bots, in which roughly 25% of those bots among that website traffic are malicious. Some of these malicious bots even attempt to log into user accounts. Given these types of attacks, advanced WAF capabilities are needed to distinguish between automated bots and real users and detect other abnormal activity using AI Machine Learning, for example.
A focus on Application Programming Interface (API) has been steadily growing.
The market covering the protection of APIs in multiple ways, such as API gateways, Access Management solutions, and now WAFs, is also filling the gap with their API protection combining Web Application and API Protection (WAAP) capabilities.
In light of this scenario, advanced WAF capabilities are needed to distinguish between bots and real users by detecting anomalies in navigation activities.
KuppingerCole Analysts predict that this market will reach a volume of US$3.92 billion by 2025. Steady and firm growth can be expected, as this market segment already being mature. The estimation of the Compound Annual Growth Rate goes to 8.7%, presenting most of the coverage of this solution in North America, EMEA and APAC. Other regions are lagging in WAFs solutions uptake, but considering the changes and progress in automation processes, this is likely to improve in the coming years.
The WAF market today has become heterogeneous in regard to the deployment models. WAF solutions in today’s market are designed to offer comprehensive WAF capabilities regardless of the location of the IT environment and can support one or more environment types such as on-premise, cloud (public, private, multi-cloud), or hybrid deployment models.
KuppingerCole Analysts is an international and independent IT-analyst organization headquartered in Europe with a presence worldwide. The company provides market sizing information and reports for IAM, cybersecurity and digital identity market, assuring neutral advice, extensive expertise and practical relevance.