Internet Performance Delivered right to your inbox

Standalone Web Application Firewall Products are Not Enough

As the security threat landscape continues to evolve, and threat actors improve their hacking tactics, techniques, and procedures, the daunting task of protecting public-facing web applications and API endpoints becomes more difficult by the day. Not only do organizations need to come to grips with reality and understand they are under attack nearly 100 percent of the time, they must also come to terms with the fact that their current approach to defending their applications and APIs is woefully deficient. However, there are solutions available now that can dramatically improve defensive postures to defeat today’s hacker campaigns and their ever-increasing persistence.

In the past, standard rule-based web application firewall products were highly recommended by industry experts and were even required by standards like PCI DSS. Understanding that no other technology was specifically designed to protect web apps, web application firewall (WAF) technology successfully penetrated nearly every industry. Today’s surveys suggest that up to 80 percent of enterprises currently utilize some sort of WAF technology, primarily driven by compliance and other mandates. But are today’s web application firewall products enough to combat the increasing cyberattacks targeting apps and APIs?

According to Dale Gardner, who is a research director with the analyst firm Gartner, the web app security market is ripe for disruption in 2018. Gardner has observed that the challenges current WAF vendors face are brought on by a very demanding market, by their slowness to offer easily-implemented protections, and to broadly address an ever-changing threat landscape. In addition, organizations no longer want to deploy hardware web application firewall products, as they move more-and-more of their apps to the cloud. Also, organizations are looking for bundles of protection beyond just standard WAF rulesets. And finally, organizations want more automated tuning approaches, which may include capitalizing on new machine learning and artificial intelligence driven solutions. Surely the market is ripe for change.

Going beyond predicting a major market shift, Gardner also mentions new drivers that will allow innovative application security entrants (vendors) who offer cloud-based bundles of services to push change in the industry. From L3, L4, and L7 DDoS defenses, bot mitigation, AI-enabled WAFs, and API endpoint protection to content delivery, load balancing, and even acceleration, customers are demanding more to improve their site performance and thoroughly manage their cyber risk. Vendors of traditional web application firewall products will either need to majorly enhance their offerings or risk losing considerable market share.

Gardner’s research and perspective goes even further whereby he mentions the emergence of a new, more bundled technology/solution category he’s calling web application and API protection (WAAP). The services-based solution he envisions, incorporates content distribution and acceleration, bot mitigation, API protection, DDoS defenses, and delivery controllers. The next generation of application and API protection solutions he predicts will of course include cloud-based WAF, yet tremendously go beyond the protections that can be delivered by a WAF alone.

The rationale for Gardner’s predictions are easily understood by those who are tasked with protecting the confidentiality and integrity of their organization’s data, while also being tasked with ensuring networks, sites, and applications are always available. Hackers today understand the vulnerabilities with current standalone web application firewall products and also understand the multi-vendor, disparate solution approach that many organizations have been forced to accept since cohesively bundled suites of solutions were simply not available to those that needed them most. However, all that has changed.

Here at Oracle Dyn, we completely agree with Gardner’s viewpoint and prediction. As a matter of fact, his WAAP prediction has already become a reality. Oracle Dyn Web Application Security is designed to protect networks, applications, and APIs. It is a multi-tenant hosted platform with globally distributed POPs and geographically dispersed DDoS mitigation centers, coupled with security operation centers monitoring and mitigating network, application, and API attacks – 24×7. At the core of the suite is proprietary machine learning algorithms, coupled with threat intelligence and big data analysis.

In 2014, the founders of Zenedge had a vision for a single, cloud-based platform comprised of a suite of solutions to directly address the future needs of organizations. Today, as part of Oracle Dyn, the Zenedge vision has come to fruition and a unified suite of solutions is available to organizations that realize standalone web application firewall products are not enough.


Share Now

Whois: Stephen Gates

Stephen Gates is a Edge Security Evangelist at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.