Integration, Labor and Maintenance, and Perceived Value
Web application firewalls (WAF) are a growing segment of the security market. In 2016, NSS Labs conducted an independent study to gain insight into enterprise WAF deployment, integration, labor and maintenance, and perceived value. In this study, 128 cybersecurity officers (n=128) from Global 2000 companies that actively deploy WAFs and that are headquartered in North America participated in an online survey. In Part 1 of this blog, we reported our results on WAF deployment methods and HTTP/2. In Part 2, we discuss our findings on WAF integration, labor and maintenance, and perceived value.
For enterprises deciding whether or not to deploy a WAF, a key factor in the decision is how well the product integrates with their environment. Several factors can affect integration, including form factor (inline or cloud-based), the extent of the required changes to enterprise web application code, how the product handles SSL traffic, and so on. In our survey, we asked respondents to rate how well WAFs integrate into their security architectures. Results were favorable, with 39% and 40% of respondents reporting that their WAFs integrate very well and moderately well, respectively. Notably, none of the participants chose the answer “not well at all.”
How well does your WAF integrate into your security architecture?
Survey respondents were asked to rate WAF technology in terms of security, performance, value, and usability on a 5-point scale, with 5 being the most favorable. Very few respondents gave top marks on any of the factors, which suggest that there may be room for improvement. However, taken in aggregate, the mean ratings trend positively.
How do you rate web application firewalls?
Labor and Maintenance
According to a 2016–2017 report1 from the U.S. Bureau of Labor Statistics, the demand for security analysts is growing more than twice as fast as demand for other professions. A 2015 report by Peninsula Press2 examining Bureau of Labor Statistics found that demand for security professionals is expected to grow by 53% through 2018. Given today’s hiring landscape, the labor requirements of security products are a growing concern for enterprises struggling to fill open requisitions. We asked cybersecurity professionals to rate the amount of labor their organizations need to administer and maintain WAFs. Most respondents (61%) indicated that WAFs take a moderate amount of labor to maintain.
How much labor is required to administer and maintain the WAF at your organization?
Our research suggests that WAFs are generally well received by the enterprise for their ability to integrate into security architectures, and enterprises appear fairly satisfied with their WAFs in terms of security, performance, usability, and overall value. A significant concern, however, is the amount of labor required to maintain WAFs, especially given the changing labor market. We predict that the future leaders in this market space will be the vendors whose products offer the greatest automation and usability while maintaining the highest levels of security efficacy.
1 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts, on the Internet at https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm.
2 Setalvad, A. (2015) Demand to fill cybersecurity jobs booming. Peninsula Press, a Project of Stanford Journalism, on the Internet at http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.