Web Application Firewall Use in the Global 2000 Part 2

Web Application Firewall Use in the Global 2000 Part 2

Integration, Labor and Maintenance, and Perceived Value

Web application firewalls (WAF) are a growing segment of the security market. In 2016, NSS Labs conducted an independent study to gain insight into enterprise WAF deployment, integration, labor and maintenance, and perceived value. In this study, 128 cybersecurity officers (n=128) from Global 2000 companies that actively deploy WAFs and that are headquartered in North America participated in an online survey. In Part 1 of this blog, we reported our results on WAF deployment methods and HTTP/2. In Part 2, we discuss our findings on WAF integration, labor and maintenance, and perceived value. 

Key Findings:

  • 40% of respondents believe their WAFs integrate moderately well into their security architecture, and 39% believe their WAFs integrate very well
  • On average, respondents view WAFs favorably in terms of security, performance, value, and usability, though data suggests there is room for improvement 
  • 61% of respondents feel that WAF products require a moderate amount of labor to administer and maintain, while 20% indicated that WAFs require a lot of labor


For enterprises deciding whether or not to deploy a WAF, a key factor in the decision is how well the product integrates with their environment. Several factors can affect integration, including form factor (inline or cloud-based), the extent of the required changes to enterprise web application code, how the product handles SSL traffic, and so on. In our survey, we asked respondents to rate how well WAFs integrate into their security architectures. Results were favorable, with 39% and 40% of respondents reporting that their WAFs integrate very well and moderately well, respectively. Notably, none of the participants chose the answer “not well at all.”

How well does your WAF integrate into your security architecture? 

A circle with various different colored sections, each section had a description: Slightly well 7.4%, Extremely well 12.8%, Very well 40.4%, Moderately well 39.4%

Perceived Value

Survey respondents were asked to rate WAF technology in terms of security, performance, value, and usability on a 5-point scale, with 5 being the most favorable. Very few respondents gave top marks on any of the factors, which suggest that there may be room for improvement. However, taken in aggregate, the mean ratings trend positively.

How do you rate web application firewalls?

A chart titled How Do You Rate Web Application Firewalls? with factors and numbers

Labor and Maintenance

According to a 2016–2017 report1 from the U.S. Bureau of Labor Statistics, the demand for security analysts is growing more than twice as fast as demand for other professions. A 2015 report by Peninsula Press2 examining Bureau of Labor Statistics found that demand for security professionals is expected to grow by 53% through 2018. Given today’s hiring landscape, the labor requirements of security products are a growing concern for enterprises struggling to fill open requisitions. We asked cybersecurity professionals to rate the amount of labor their organizations need to administer and maintain WAFs. Most respondents (61%) indicated that WAFs take a moderate amount of labor to maintain.

How much labor is required to administer and maintain the WAF at your organization?

A bar chart titled "How much labor is required to administer and maintain the WAF at your organization?"

Our research suggests that WAFs are generally well received by the enterprise for their ability to integrate into security architectures, and enterprises appear fairly satisfied with their WAFs in terms of security, performance, usability, and overall value. A significant concern, however, is the amount of labor required to maintain WAFs, especially given the changing labor market. We predict that the future leaders in this market space will be the vendors whose products offer the greatest automation and usability while maintaining the highest levels of security efficacy. 

1 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts, on the Internet at https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm.

2 Setalvad, A. (2015) Demand to fill cybersecurity jobs booming. Peninsula Press, a Project of Stanford Journalism, on the Internet at  http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: HTTP/2, WAF, Web Application Firewall