LICENSED FOR INDIVIDUAL USE ONLY

The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up by Sandy Carielli and Amy DeMartine February 26, 2020 | Updated: March 6, 2020

Why Read This Report Key Takeaways In our 33-criterion evaluation of web application Akamai Technologies And Imperva Cloud WAF firewall (WAF) providers, we identified the 10 Lead The Pack most significant ones — Akamai Technologies, Forrester’s research uncovered a market in which Alibaba Cloud, Amazon Web Services, Barracuda Akamai Technologies and Imperva Cloud WAF Networks, Cloudflare, F5 Networks, Imperva, are Leaders; Radware, Barracuda Networks, Microsoft, Radware, and Rohde & Schwarz and F5 Advanced WAF are Strong Performers; Cybersecurity — and researched, analyzed, Imperva WAF Gateway, F5 Silverline, Amazon and scored them. This report shows how Web Services, and Alibaba Cloud are Contenders; each provider measures up and helps security and Microsoft, Cloudflare, and Rohde & Schwarz professionals select the right one for their needs. Cybersecurity are Challengers.

Expanded Protection, Threat Intel, And SDLC Feedback Are Key Differentiators As development, security, and operations (DevSecOps) takes hold, WAFs that enable security leaders to quickly identify and mitigate a wide range of application threats will lead the pack. Vendors that can extend protections into APIs and client-side components; that offer timely, integrated threat intelligence; and that natively hook into a customer’s security and development processes position themselves to successfully integrate into the DevSecOps toolchain and delight their customers.

This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited. FORRESTER.COM FOR SECURITY & RISK PROFESSIONALS

The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up by Sandy Carielli and Amy DeMartine with Stephanie Balaouras, Matthew Flug, and Peggy Dostie February 26, 2020 | Updated: March 6, 2020

Table Of Contents Related Research Documents

2 To Stay Relevant, WAFs Must Offer More Lay Your Security Tech Foundation Than OWASP Top 10 Detection Now Tech: Web Application Firewalls, Q4 2019 3 Evaluation Summary Top Cybersecurity Threats In 2020 7 Vendor Offerings

8 Vendor Profiles

Leaders Share reports with colleagues. Strong Performers Enhance your membership with Research Share. Contenders

Challengers

12 Evaluation Overview

Vendor Inclusion Criteria

14 Supplemental Material

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

© 2020 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

To Stay Relevant, WAFs Must Offer More Than OWASP Top 10 Detection

Web application firewalls (WAFs) initially focused on protecting web applications from common vulnerabilities like SQL injection, cross-site scripting, and other members of the OWASP Top 10. WAFs remain a fundamental technology for application security protection, but customer requirements have changed. While the OWASP Top 10 remains a core use case, customers expect WAFs to provide protection against an ever-broader spate of application attacks, including API-based attacks, client- side attacks, and even bots. Furthermore, the adoption of DevSecOps means that WAFs must integrate with the rest of the application development and security infrastructure and help security leaders quickly identify and respond to application threats. Organizations want more from their WAF providers — and the degree of negative feedback from vendor-supplied references in this Forrester Wave warns that, unless vendors adapt, the WAF market is ripe for disruption.

As a result of these trends, WAF customers should look for providers that:

›› Extend beyond traditional WAF protections. As the range of attacks against web applications increases, WAF providers that merely focus on protecting against the OWASP Top 10 won’t remain relevant. Over the past year, organizations such as Hostinger and Xiaomi have been subject to attacks via their APIs, and attackers have breached thousands of sites, including Macy’s and the Baseball Hall of Fame, through client-side components.1 The leading WAF providers must provide an integrated approach to old and emerging attack approaches by supporting OAUTH, allowing users to import API configuration files in multiple formats, and detecting header and referrer verifications.

›› Offer enriched threat intelligence. Robust protection from zero-day attacks and emerging threats requires an extensive threat intelligence function combined with the ability to automatically push new, pretested rules to users. WAF providers must leverage a wide range of external threat feeds and augment them with a dedicated internal team that proactively identifies threats and applies machine learning to analyze traffic patterns across the customer base. Customers must ask WAF vendors not only about threat intelligence sources but about how rapidly that intelligence is analyzed and fed into new rules.

›› Integrate natively with the software development lifecycle (SDLC). While WAFs live in the deployment side of the application security landscape, developers and security teams leverage WAF detections to prioritize additional safeguards in developed code. Firms purchase expensive threat feeds but often ignore the ones they get for free and that are tailor-made for them — the attack information from their protection technologies. Developers use this attack data to prioritize what security flaws to fix first or to add additional production protections when fixes are not imminent, such as custom WAF rules. Look for providers that offer multiple out-of-the-box (OOTB) integrations with DevOps tools to fit into the deployment process, alerting and notification tools to reach application owners, and prerelease scanning tools to create and modify WAF rules.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Evaluation Summary

The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an assessment of the top vendors in the market and does not represent the entire vendor landscape. You’ll find more information about this market in our Now“ Tech: Web Application Firewalls, Q4 2019.”

We intend this evaluation to be a starting point only and encourage clients to view product evaluations and adapt criteria weightings using the Excel-based vendor comparison tool (see Figure 1 and see Figure 2). Click the link at the beginning of this report on Forrester.com to download the tool.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

FIGURE 1 Forrester Wave™: Web Application Firewalls, Q1 2020

Web Application Firewalls Q1 2020

Strong Challengers Contenders Performers Leaders

Stronger current offering

Akamai Technologies

F5 Advanced WAF Imperva Cloud Barracuda Networks WAF

Radware

F5 Silverline Rohde & Schwarz Imperva WAF Gateway Cybersecurity

Cloud are Alibaba Cloud

Amazon Microsoft Web Services

Weaker current offering

Weaker strategy Stronger strategy

Market presence

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020

eb Services s echnologies e

ester’ Forr weighting Akamai T Alibaba CloudAmazon W Barracuda NetworksCloud ar F5 Advanced WAF Current offering 50% 4.07 1.81 1.21 3.18 1.93 3.25

Attack detection 30% 4.40 1.80 1.05 3.90 1.80 4.50

Attack response 20% 3.80 2.40 0.70 3.60 2.40 3.60

Management interface 15% 4.60 2.15 2.40 2.00 2.60 4.40

Zero-day attacks 10% 3.60 1.40 1.10 2.40 1.60 0.50

Reporting and analytics 15% 4.00 1.60 1.30 3.40 1.00 1.90

Feedback loops 10% 3.40 0.90 0.90 2.40 2.10 1.80

Strategy 50% 3.76 2.20 3.60 2.24 1.28 2.24

Product strategy 40% 3.80 1.00 3.00 3.00 1.60 1.60

Market approach 20% 5.00 3.00 5.00 1.00 1.00 3.00

Execution roadmap 10% 1.00 1.00 3.00 3.00 1.00 1.00

Training and community 10% 3.00 1.00 1.00 1.00 1.00 3.00

Performance 20% 4.20 5.00 5.00 2.20 1.20 3.00

Market presence 0% 4.58 1.84 3.10 3.70 3.72 3.09

Installed base 70% 4.40 2.20 4.00 4.00 3.60 2.70

Revenue 30% 5.00 1.00 1.00 3.00 4.00 4.00

All scores are based on a scale of 0 (weak) to 5 (strong).

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020 (Cont.)

AF Gateway s e ester’ osoft

Forr weighting F5 SilverlineImperva CloudImperva WAF W Micr Radwar RohdeCybersecurity & Schwarz Current offering 50% 2.52 3.02 2.34 1.04 2.83 2.06

Attack detection 30% 2.50 3.10 2.30 1.05 2.20 3.60

Attack response 20% 3.60 3.00 3.00 0.70 5.00 2.10

Management interface 15% 1.50 2.80 1.30 1.50 1.80 1.20

Zero-day attacks 10% 2.60 5.00 1.40 0.50 2.40 0.50

Reporting and analytics 15% 3.10 3.00 3.30 1.60 2.50 0.70

Feedback loops 10% 1.00 1.20 2.20 0.70 2.80 2.20

Strategy 50% 2.24 4.44 2.72 2.50 2.96 1.00

Product strategy 40% 1.60 5.00 2.20 3.00 5.00 1.00

Market approach 20% 3.00 3.00 1.00 1.00 1.00 1.00

Execution roadmap 10% 1.00 5.00 5.00 1.00 3.00 1.00

Training and community 10% 3.00 5.00 3.00 0.00 1.00 1.00

Performance 20% 3.00 4.20 4.20 5.00 1.80 1.00

Market presence 0% 1.21 4.09 3.49 2.74 2.00 2.19

Installed base 70% 1.30 3.70 3.70 2.20 2.00 2.70

Revenue 30% 1.00 5.00 3.00 4.00 2.00 1.00

All scores are based on a scale of 0 (weak) to 5 (strong).

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Vendor Offerings

Forrester included 10 vendors in this assessment: Akamai Technologies, Alibaba Cloud, Amazon Web Services (AWS), Barracuda Networks, Cloudflare, F5 Networks, Imperva, Microsoft, Radware, and Rohde & Schwarz Cybersecurity (R&S) (see Figure 3). F5 Networks and Imperva had multiple products, which Forrester evaluated separately to highlight the differences when these products are purchased separately.

FIGURE 3 Evaluated Vendors And Product Information

Product version Vendor Product evaluated evaluated

Akamai Kona Site Defender March 2019 Technologies

Alibaba Cloud Web Application Firewall 4.3.0.0

Amazon Web AWS WAF; AWS Firewall Manager Services

Barracuda Barracuda Web Application Firewall (Hardware); Barracuda 10.0.1.003 Networks Web Application Firewall (Vx); Barracuda CloudGen Firewall for AWS; Barracuda CloudGen Firewall for Azure; Barracuda CloudGen Firewall for Google Cloud

Cloud are Cloud are WAF

F5 Networks F5 Advanced WAF 14.1

F5 Networks F5 Silverline WAF

Imperva Imperva Cloud Application Firewall 10/8/19

Imperva Web Application Firewall Gateway 13.5

Microsoft Azure Web Application Firewall (Azure WAF); Azure Log Analytics; Azure Sentinel

Radware AppWall, Alteon, AppWall VA, Alteon VA, Cloud WAF AppWall 7.5.6, Cloud WAF 19.7.3, Alteon 32.4.00

Rohde & R&S Web Application Firewall 6.5.3 Schwarz Cybersecurity

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Vendor Profiles

Our analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

›› Akamai Technologies offers a cloud-agnostic WAF solution at the edge. Akamai’s WAF, Kona Site Defender, is one in a suite of security products that also includes DDoS protection, bot management, and an API gateway available to Akamai’s CDN customers. Akamai has invested in API protection, with customers able to import Swagger or RAML files into the management console. The recent acquisition of ChameleonX hints at Akamai’s roadmap for protecting third- party scripts from Magecart-like attacks.

In a sea of middling WAF customer references, Akamai stood out among the vendors for its across- the-board positive reviews, with particularly high marks for attack detection, attack response, and internal threat intelligence. Customers also appreciated the ability to easily add other Akamai performance and security products. Some of the customer challenges focused on communication and relationship — one reference wanted more communication “on when changes are being made to the underlying rules maintained by Akamai,” while another was frustrated by the frequent turnover of their account team. Akamai CDN customers are well suited to take advantage of Kona Site Defender.

›› Imperva Cloud WAF is the more mature of Imperva’s WAF solutions. Previously known as Incapsula, Cloud WAF is one of two WAF products in Imperva’s portfolio that we evaluated separately. Imperva offers a full suite of deployment-side application protections — including WAF, bot management, RASP, DDoS, API security, and analytics solutions — and their go-to-market approach, called FlexProtect, focuses on solution bundles. In 2019, Imperva introduced a user community where customers engage with Imperva experts and each other; the community offers discussion boards, how-to videos, and community blogs.

Ease of use was a common theme among Imperva’s reference customers, who rated the UI highly and were pleased the product could be both intuitive and effective. However, feedback loops remain a source of frustration: More than one reference struggles with SIM integration. Customers seeking a full application security stack and a modern user experience would benefit from Imperva’s Cloud WAF solution. Note that Cloud WAF is also available as a managed service.

Strong Performers

›› Radware offers customers consolidated security with multiple deployment options. Radware’s AppWall can be deployed as a virtual or physical appliance, either standalone or on top of Radware’s application delivery controller (ADC). Radware also offers Cloud WAF as a SaaS option — deploying 24 Cloud WAF PoPs globally and including the Radware Bot Manager — and Kubernetes WAF for cloud-native applications. Radware has a strong partnership with Microsoft to run Cloud WAF on top of Azure and touts itself as the only WAF service running natively in Azure.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Reference customers were complimentary of Radware’s customer interaction — one called Radware “a great relationship-building organization” — and spoke highly of the onboarding process and the team’s responsiveness to feature requests. On the flip side, references wanted to see more from the reporting, such as additional dashboards and response codes, and had mixed reviews of the management UI. Radware is a strong choice for customers looking for platform consolidation either in the data center with ADC, WAF, and DDoS protection or in the cloud with Cloud WAF and bot management.

›› Barracuda Networks offers a range of deployment options. Barracuda WAF is available as a hardware appliance, as a virtual appliance, or as CloudGen Firewall for AWS, Azure, or Google Cloud. Barracuda uses the same WAF engine, with a rewritten UI, as the basis for its WAF-as- a-service offering — Forrester did not review the SaaS offering. Barracuda WAF fully integrates with the Barracuda Vulnerability Remediation Service, which scans the application and feeds rule changes to the WAF based on the resultant vulnerability data.

Barracuda has invested in API security, including JSON payload inspection and YAML file import, with additional features on the roadmap. Barracuda’s reference customers praised the WAF as offering good value for the price, appreciated the ease of use, and noted recent improvements in logging. Top criticisms targeted internal threat intelligence and feedback loops. Customers also wished for “better centralized logging” and “a more responsive UI.” Given the company’s focus on the CloudGen and SaaS WAF products, customers looking for a public cloud deployment option should consider Barracuda.

›› F5 Networks’ Advanced WAF offers rich rulesets and centralized management. F5 offers two WAF products — Advanced WAF and Silverline — that we evaluated separately. Customers can deploy Advanced WAF as a hardware appliance, as a virtual appliance, or in public cloud — Advanced WAF is available in AWS, Azure and Google Cloud. F5’s BIG-IQ platform offers a centralized management console for all WAF deployments, and the company envisions consolidating its WAF products on top of a single engine. F5 has shifted its go-to-market to position application security as the central offering rather than an add-on.

Forrester received limited, mixed feedback on F5’s Advanced WAF. Although customer references praised F5 Networks’ out-of-the-box ruleset — “I can accomplish almost everything I need to with default signatures” — and gave high marks for attack detection, attack response, and management, F5 garnered low grades for internal threat intelligence, reporting, and feedback loops. F5 Advanced WAF is a good option for customers needing a feature-rich platform and who are willing to manage it.

Contenders

›› Imperva WAF Gateway offers an on-premises solution with a path to the cloud. One of two WAF products in Imperva’s portfolio that were evaluated separately, WAF Gateway was formerly called SecureSphere and provides an on-premises solution for industries and regions not ready

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

to move to cloud. As with Cloud WAF, Imperva includes WAF Gateway as an option in FlexProtect solution bundles and gives customers access to experts and peers through the user community. Imperva’s roadmap includes a unified management console and single WAF sensor for its Cloud WAF and WAF Gateway offerings.

A unified management console would be welcome, since unlike Cloud WAF’s modern UI, WAF Gateway’s user experience is decidedly out of the mid-2000s. One customer complained, “The UI has not been updated and feels out of date. It makes management and investigations in the console very difficult.” Reference customers also criticized feedback loops and struggled with customer support, but they were enthusiastic about WAF Gateway’s attack detection and response capabilities. For customers still preferring an on-prem solution and willing to bet on an eventual cross-sharing of features with Cloud WAF, WAF Gateway remains a viable WAF solution.

›› F5 Networks’ Silverline reduces in-house resource requirements. F5 offers two WAF products — Advanced WAF and Silverline — that we evaluated separately. F5 Silverline provides customers with a simplified experience through either an express self-service option or a fully managed service maintained by F5’s SOC. Silverline WAF Express lets customers select their targeted rulesets — maintained by the F5 SOC — for popular technology stacks. The F5 team maintains and updates standard rulesets; upon request, they will also create and tune custom rules for Silverline Managed WAF customers.

Managed services played heavily into customer feedback — references appreciated they didn’t have to do the work and praised the F5 team’s responsiveness. However, there was some frustration with feedback loops, particularly around logging and SIM integration. One customer noted the WAF tool didn’t export all data to their SIM, “so we have to work around getting necessary log data to the parties that need it.” Customers also hoped to see more-granular reporting and the ability to generate and export metrics. Customers unable or unwilling to fully manage a WAF should consider F5 Silverline’s Managed WAF. Those with apps built exclusively on common tech stacks should investigate Silverline WAF Express.

›› Amazon Web Services combines several services into a complete security solution. AWS WAF, for detection and protection, and AWS Firewall Manager, for centralized rule management, are part of an application security suite that also includes AWS Shield for DDoS protection. The AWS Management Console provides the management UI for all AWS services and closely ties together the interfaces for WAF, Firewall Manager, and Shield. Customers can deploy AWS WAF for applications running in EC2, ECS, Lambda, or on-prem.

AWS’s services collate and feed logs to a SIM, manage metrics and alarms, enrich data, build queries, and create business intelligence reports. This ecosystem has value but also means customers must implement an array of services to create a fully functioning WAF. Reference customers appreciated the AWS native experience and the well-documented APIs but expressed frustration with reporting and zero-day protection. One reference noted, “In order to meaningfully

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

use the WAF product, you must create your own rules.” AWS WAF is a good fit for customers seeking an AWS native solution, undaunted by a plethora of cobbled-together services, and that appreciate API deployment and configuration.

›› Alibaba Cloud WAF leverages Alibaba Cloud’s presence in the China and AP markets. While Alibaba Cloud WAF has primarily been a cloud offering in China and available to Alibaba Cloud customers, the company is expanding into Southeast Asia and plans to address hybrid cloud through deployment options with other public clouds or on-prem. Alibaba Cloud offers 24x7 customer support groups on the Dingtalk communication and collaboration platform.

Alibaba Cloud’s roadmap highlights API security as a top priority, aligning with Forrester’s observation that Alibaba Cloud’s API protection is limited. APIs were also a theme with reference customers, who asked for API and mobile SDKs. Otherwise, references had few complaints, and gave high marks to Alibaba Cloud WAF’s attack detection and defense against zero-day attacks. Alibaba Cloud WAF is a good option for customers who want a top player in the China and Asia Pacific regions that prioritizes a responsive service team.

Challengers

›› Microsoft’s Azure WAF is an early-stage product in a mature market. Microsoft first offered Azure WAF in 2017 as an integration with an Application Gateway to protect public or private websites. As of mid-2019, Azure WAF also integrates natively with Azure Front Door at the network edge, combining application security and performance functions. Azure WAF protects applications within Azure, hosted in other clouds or deployed on-premises. The product integrates with services such as Azure Log Analytics and Azure Monitor.

Microsoft could only provide limited customer feedback; references appreciated Azure WAF’s native integration to Azure Resource Manager but wanted to see more OOTB compliance reporting. One reference noted, “Until recently, the product was still lacking the ability to create custom policies,” a common feature long supported by enterprise-class vendors. Feature gaps were a trend in the Azure WAF evaluation, as the product doesn’t: 1) perform data leak protection; 2) integrate with vulnerability scanners; 3) offer device fingerprinting; or 4) offer protection against client-side attacks. Customers might consider Azure WAF if they have more-limited feature requirements and like Azure WAF’s native integrations.

›› Cloudflare integrations drive flexible and simple customer experience. Cloudflare WAF integrates with the rest of its suite, including the CDN, load balancing, smart routing, and bot management. Cloudflare focuses on implementation, with the intention of users configuring WAF features through the dashboard, the API, and/or Terraform. To address client-side attacks, data loss prevention, and other custom rules the WAF doesn’t address natively, Cloudflare implemented the Workers platform to let customers build custom code at the CDN edge. Cloudflare recently announced the GraphQL Analytics API, which underpins its Firewall Analytics dashboards and helps customers query and build their own dashboards.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Since our last WAF evaluation, Cloudflare has also invested in a rule creation interface, reporting, managed rulesets, and predeployment rule testing — features that do not leapfrog the competition but bring Cloudflare closer to parity. Reference customers all highlighted ease of use or ease of implementation — one customer referred to Cloudflare as “intuitively usable.” The biggest criticism was around Cloudflare’s internal threat intelligence, and there were requests for additional logging features and integrations. Existing Cloudflare customers looking for seamless integration and a solid user experience should consider the Cloudflare WAF.

›› R&S offers an on-prem, SaaS, and managed solution for the European market. Rohde & Schwarz Cybersecurity’s Web Application Firewall is available as an enterprise edition and a business edition. While the enterprise edition includes all features, the business edition targets SMBs and is positioned as more of an entry-level WAF that supports fewer form factors, fewer application types, and fewer features. R&S also recently launched Cloud Protector, a cloud-based WAF available as SaaS or managed service and hosted in European data centers.

Reference customers rated attack detection highly but gave APIs mixed reviews, with one reference calling the API “lean.” References spoke positively about R&S’s simplicity and usable management console — the question is, which one? Between the Cloud Protector management console, the traditional R&S WAF management application, and the Kibana-based dashboard and reports, R&S is a tale of multiple UIs. The business and enterprise editions support different functionality — customers must understand the differences and choose wisely. European customers and others with data sovereignty concerns will appreciate R&S’s on-prem and EU- hosted options and regulatory alignment.

Evaluation Overview

We evaluated vendors against 33 criteria, which we grouped into three high-level categories:

›› Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current offering. Key criteria for these solutions include attack detection; attack response; management interface; protection against zero-day attacks; reporting and analytics; and feedback loops with developer, SecOps, and prerelease scanning tools.

›› Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We evaluated product strategy, market approach, execution roadmap, training and community, and performance.

›› Market presence. Represented by the size of the markers on the graphic, our market presence scores reflect each vendor’s installed base and revenue.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Vendor Inclusion Criteria

Forrester included 10 vendors in the assessment: Akamai Technologies, Alibaba Cloud, Amazon Web Services, Barracuda Networks, Cloudflare, F5 Networks, Imperva, Microsoft, Radware, and Rohde & Schwarz Cybersecurity. Each of these vendors has:

›› A comprehensive, enterprise-class WAF tool. All vendors in this evaluation offer a range of WAF capabilities suitable for security pros. Participating vendors were required to have most of the following capabilities out of the box: attack detection for web applications, including APIs; ability to block attacks, including zero-day attacks; the use of machine learning to modify rules; and the ability to visually report attacks.

›› $10 million or more in global WAF revenue. All vendors in this evaluation earned $10 million or more in global revenue — no more than 90% revenue attributed to a single region — directly from WAF capabilities.

›› Interest from or relevance to Forrester clients. Forrester clients often discuss the participating vendors and products during inquiries and interviews. Alternatively, the participating vendor may, in Forrester’s judgment, have warranted inclusion because of technical capabilities and market presence.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 13 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

Analyst Inquiry Analyst Advisory Webinar

To help you put research Translate research into Join our online sessions into practice, connect action by working with on the latest research with an analyst to discuss an analyst on a specific affecting your business. your questions in a engagement in the form Each call includes analyst 30-minute phone session of custom strategy Q&A and slides and is — or opt for a response sessions, workshops, available on-demand. via email. or speeches. Learn more. Learn more. Learn more.

Forrester’s research apps for iOS and Android. Stay ahead of your competition no matter where you are.

Supplemental Material

Online Resource

We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product evaluations and customizable rankings; download this tool by clicking the link at the beginning of this report on Forrester.com. We intend these scores and default weightings to serve only as a starting point and encourage readers to adapt the weightings to fit their individual needs.

The Forrester Wave Methodology

A Forrester Wave is a guide for buyers considering their purchasing options in a technology marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™ Methodology Guide to evaluate participating vendors.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 14 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS February 26, 2020 | Updated: March 6, 2020 The Forrester Wave™: Web Application Firewalls, Q1 2020 The 10 Providers That Matter Most And How They Stack Up

In our review, we conduct primary research to develop a list of vendors to consider for the evaluation. From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather details of product and strategy through a detailed questionnaire, demos/briefings, and customer reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in the marketplace, to score vendors, using a relative rating system that compares each vendor against the others in the evaluation.

We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester Wave report. We evaluated the vendors participating in this Forrester Wave using materials they provided to us by December 3, 2019 and did not allow additional information after that point. We encourage readers to evaluate how the market and vendor offerings change over time.

In accordance with The Forrester Wave™ Vendor Review Policy, Forrester asks vendors to review our findings prior to publishing to check for accuracy. Vendors marked as nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but declined to participate in or contributed only partially to the evaluation. We score these vendors in accordance with The Forrester Wave™ And The Forrester New Wave™ Nonparticipating And Incomplete Participation Vendor Policy and publish their positioning along with those of the participating vendors.

Integrity Policy

We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity Policy posted on our website.

Endnotes

1 Source: Daugirdas Jankus, “Security Incident: What We Did to Improve Security of Our Infrastructure,” Hostinger Blog, November 25, 2019 (https://www.hostinger.com/blog/security-incident-what-you-need-to-know/?trifyguhioy8). Source: Pierluigi Paganini, “Thousands of Xiaomi FURRYTAIL pet feeders exposed to hack,” Security Affairs, October 30, 2019 (https://securityaffairs.co/wordpress/93062/hacking/xiaomi-furrytail-pet-feeders-hack.html).

Source: Lee Mathews, “Baseball Hall Of Fame Website Hacked With Credit Card Stealing Malware,” Forbes, August 9, 2019 (https://www.forbes.com/sites/leemathews/2019/08/09/baseball-hall-of-fame-website-hacked-with-credit- card-stealing-malware/#6274ca825fa4) and Ali Raza, “Macy’s Suffers Data Breach via Infected Payment Portal,” BeInCrypto, November 21, 2019 (https://news.beincrypto.com/2019/11/20/macys-suffers-data-breach-due-to- infected-payment-portal/). See the Forrester report “Top Cybersecurity Threats In 2020.”

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 15 [email protected] or +1 866-367-7378 forrester.com

We work with business and technology leaders to drive customer- obsessed vision, strategy, and execution that accelerate growth.

PRODUCTS AND SERVICES ›› Research and tools ›› Analyst engagement ›› Data and analytics ›› Peer collaboration ›› Consulting ›› Events ›› Certification programs

Forrester’s research and insights are tailored to your role and critical business initiatives.

ROLES WE SERVE Marketing & Strategy Technology Management Technology Industry Professionals Professionals Professionals CMO CIO Analyst Relations B2B Marketing Application Development B2C Marketing & Delivery Customer Experience Enterprise Architecture Customer Insights Infrastructure & Operations eBusiness & Channel ›› Security & Risk Strategy Sourcing & Vendor Management

CLIENT SUPPORT For information on hard-copy or electronic reprints, please contact Client Support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

157258