Select Page




NSS Labs defines the web application firewall (WAFs) as a stand-alone or virtual appliance, or as self-contained software designed to secure web-based traffic and prevent web servers and their applications from being exploited. Attackers are no longer simply attacking the web server and its underlying operating systems; they have moved up the stack and are attacking web applications running on the web server that front-end critical corporate data. Such applications are often complex and difficult to secure effectively, and simple coding errors can render them wide open to remote exploits. To regain the upper hand against current attacks, enterprises must evolve their network defenses to provide a different kind of protection.

WAFs employ a wide range of functions to work in conjunction with perimeter firewalls and intrusion prevention system (IPS) technologies and to provide protections specifically for web applications. WAFs should include HTTP/HTTPS protocol enforcement and native signature detection along with other protection mechanisms, such as URL normalization and scanning; positive or negative security enforcement model functionality (or both) that enforces proper application operation and page logic flow; and adaptive learning modules for automated policy updates. WAFs should be able to identify and police the use of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic.


NSS Labs’ Web Application Firewall (WAF) Group Test evaluates market-leading WAF products on their security effectiveness, performance, stability and reliability, and total cost of ownership (TCO). The test provides Comparative Reports and individual Test Reports to help enterprises make informed decisions to evolve and rationalize their cyber risk programs.

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo.