G.国王族 官方论坛-广州游戏资讯网

标题: [转载]2017 年 Gartner 魔力象-Web 应用防火墙篇 [打印本页]
作者: GZGame    时间: 2018-1-8 10:49
标题: [转载]2017 年 Gartner 魔力象-Web 应用防火墙篇
Summary
The WAF market is growing, driven by the adoption of cloud-based WAF service. Enterprise security teams should use this research as part of their evaluation on how WAFs can provide improved security that is also easy to consume and manage, while respecting data privacy requirements.
Strategic Planning Assumptions
By 2020, stand-alone WAF hardware appliances will represent less than 20% of new WAF deployments, down from 40% today.
By 2020, more than 50% of public-facing web applications will be protected by cloud-based WAF service platforms, combining CDN, DDoS protection, bot mitigation and WAF, up from less than 20% today.
Market Definition/Description
The web application firewall (WAF) market is driven by a customer's need to protect public and internal web applications when they are deployed locally (on-premises) or remotely (hosted, cloud-based or as a service). WAFs protect web applications and APIs against a variety of attacks, notably including injection attacks and application-layer denial of service (DoS). They should not only provide signature-based protection, but should also support positive security models and/or anomaly detection.
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically that was the only way to perform some in-depth inspections. Today, other deployment modes exist, such as transparent proxy or network bridge. Some WAFs can also be positioned out of band (OOB, or mirror mode), and therefore work on a copy of the network traffic. Not every feature can work in all of these deployment choices, and reverse proxy is the most prevalent option for many organizations. In recent years, increased use by web applications of Transport Layer Security (TLS) encryption, based on cipher suites that require in-line traffic interception (man in the middle) to decrypt, have reduced the number of OOB deployments.
In recent years, WAF delivered as a cloud-based service directly by the vendor (cloud-based WAF service) has become a more popular option for a growing number of enterprises, beyond its initial target of midmarket organizations. Cloud-based WAF service combines a cloud-based deployment with a subscription model. The customers might also select a vendor's managed services for its cloud-based WAF service, or be forced to use it because it is a mandatory component of the offering. Some vendors have chosen to leverage their existing WAF solution, repackaging it as SaaS. This allows vendors to have a cloud-based WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native cloud-based WAF service offerings. One of the difficulties with this approach is simplifying the management and monitoring console to meet clients' expectations. Cloud-based WAF service, built to be multitenant and cloud-based from the beginning, could avoid costly maintenance of legacy code in the long term. It also provides a competitive advantage with faster release cycles and rapid implementation of innovative features. One of the main challenges for users consuming cloud-based WAF service built separately is the absence of a unified management console to support hybrid scenarios.
When speaking with clients about WAF adoption, Gartner observes occasional confusion with the application control feature (application awareness) present on network firewalls. The primary WAF benefit is protection for custom web applications' "self-inflicted" vulnerabilities in web application code developed by the enterprise, and protection for vulnerabilities in off-the-shelf web application software. These vulnerabilities would otherwise go unprotected by other technologies that guard mainly against known exploits (see "Web Application Firewalls Are Worth the Investment for Enterprises" ). Most attacks on these corporate applications come from external attackers.
This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:
API gateway, bot management (which includes bad-bot mitigation and good-bot whitelisting) and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budget. This motivates WAF vendors to add relevant features from these adjacent markets when appropriate; for example, cloud-based WAF services often bundle web application security with distributed denial of service (DDoS) protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), database monitoring, or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, like ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer's security needs when it comes to web application security. This notably includes how WAF technology:
In particular, Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (such as ModSecurity) would do by leveraging a rule set of generic signatures.
Magic Quadrant

Figure 1. Magic Quadrant for Web Application Firewalls


Source: Gartner (August 2017)

Vendor Strengths and CautionsAkamai
Akamai moved from the Challengers to the Leaders quadrant. When clients require only cloud-based WAF service, Akamai's WAF appeals to prospective customers for its combination of strong security features and ability to scale.
Based in Cambridge, Massachusetts, Akamai is a CDN provider and employs a staff of more than 5,000. Its network and cloud security services, including its WAF (Kona Site Defender), are built on top of the Akamai Intelligent Platform, its global cloud infrastructure. Kona Site Defender includes DDoS mitigation options, such as Site Shield for origin protection, DDoS fee protection and a compliance management module. Optional add-ons, such as client reputation, bot manager and FastDNS (for DNS security), are frequently bundled with the Kona WAF.
In 2016, Akamai announced both the acquisition of Cyberfend, a company providing bot mitigation services, to enhance its existing bot mitigation offering and the availability of its simplified and lower-priced solution, Web Application Protector. In 2017, Akamai released version 5.0 of Kona Site Defender, which included new API security features and better integration with SIEM.
Kona Site Defender is a good shortlist candidate for all use cases where WAF delivered from the cloud is acceptable, and low price is not the highest priority, especially for existing Akamai CDN customers.
STRENGTHSCAUTIONSAmazon Web Services
Amazon Web Services (AWS) is in the Niche Players quadrant. Its AWS WAF offers good integration with other AWS services, and is easily programmable, but it does not offer as many inbuilt security features as other vendors evaluated in this research. Its market reach is currently limited to AWS clients.
Headquartered in Seattle, Washington, Amazon Web Services, a subsidiary of Amazon (AMZN), is a cloud-focused service provider. AWS offers Xen-virtualized multitenant and single-tenant compute (Elastic Compute Cloud [EC2]) with multitenant storage. It also offers extensive additional IaaS and platform as a service (PaaS) capabilities, including object storage with an integrated CDN (Amazon Simple Storage Service [S3] and CloudFront), and a Docker container service (EC2 Container Service [ECS]).
AWS both competes and partners in the WAF market. It allows WAF competitors in the AWS marketplace, and also offers its own solution. AWS WAF can be delivered through AWS Application Load Balancer or through Amazon CloudFront as part of the CDN solution. AWS WAF works by being placed between website viewers and web servers deployed behind Application Load Balancers or CloudFront proxy servers. AWS WAF is not limited to protecting origin servers hosted on Amazon infrastructure. It can be deployed in front of public web applications, too.
Recent news for AWS WAF includes Internet Protocol version 6 (IPv6) support, a template including preconfigured rules for OWASP top vulnerabilities, and rate-based rules.
Prospective customers should consider AWS WAF in their shortlists if they want to protect public-facing web applications from common web exploits and use basic rule conditions at a volume-based cost, especially when the application is also hosted on AWS.
STRENGTHSCAUTIONSBarracuda Networks
Barracuda Networks is a Challenger. Barracuda is considered a strong contender for deployment in application environments where the primary requirements for selecting a WAF appliance are cost or a virtual appliance on a Microsoft Azure IaaS platform.
Headquartered in Campbell, California, Barracuda Networks (CUDA) is a security and storage vendor that caters primarily to midsize enterprises. Its line of products includes network firewalls, data management, email and web security. Barracuda is also visible in a few enterprise markets, including the WAF market. The vendor delivers its Web Application Firewall line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and VMware vCloud Air platforms.
Recent news includes the announcement of the expansion of the Barracuda Cloud Ready program, wherein it offers free 90-day licenses for its WAF and network firewalls to use in AWS or Azure migrations. It also announced a free add-on, Barracuda Vulnerability Remediation Service, which provides automated dynamic application security testing (DAST) services and automated mitigation against discovered vulnerabilities.
Barracuda is a good shortlist contender for small and midsize businesses (SMBs) and other value-conscious organizations, in addition to organizations moving applications to public cloud IaaS environments.
STRENGTHSCAUTIONSCitrix
Citrix is a Challenger. It has a long history in the WAF space, mainly focused on delivering web application security as an add-on to its NetScaler deployment. Gartner rarely sees the vendor compete where application security is the highest-weighted requirement.
Citrix (CTXS), co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida, is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions, with more than 9,000 employees. Citrix has offered WAF functionality (NetScaler AppFirewall) for more than a decade, either as a stand-alone software option or included in the Platinum edition of the NetScaler ADC suite. The Citrix hardware appliance product line (NetScaler MPX) can run a license-restricted version of the full NetScaler software to act as a stand-alone WAF. In addition, Citrix provides a line of virtual appliances (NetScaler VPX). NetScaler can be bundled in Citrix Mobile Workspace offerings.
In 2016, Citrix released new licenses from NetScaler virtual appliances. In 2017, Citrix has started offering NetScaler Web App Security Services, its cloud-based WAF service, based on AppFirewall and released features and improvements, such as adding ECDHE cipher support for TLS decryption, overall risk score dashboard (Threat Index) and authentication features.
NetScaler AppFirewall is a good choice for existing Citrix clients, or when high-performance WAF appliances are needed.
STRENGTHSCAUTIONSCloudflare
Cloudflare is a Challenger. As more web applications move to the cloud, the value proposition of its bundled approach and the regular improvements of its solution appeal to more clients.
Based in San Francisco, California, Cloudflare is well known for its CDN and DDoS protection services. Other services include managed DNS services and WAF. Cloudflare is best known for its free plan and inexpensive self-service Pro and Business plans. Most of its enterprise sales are through the custom Enterprise plan, which starts at $5,000 per month.
The vendor has recently announced a new subscription for load balancing and failover, another subscription (Argo) for performance optimization through improved routing decision between its servers, Internet of Things (IoT) security (Orbit) to secure connections between IoT devices and their origin server, always-on IPv6, a partnership with OpenDNS to improve IPv6 DNS lookup efficiency, and beta version support of TLS 1.3 with performance optimization for resumed connections (0-RTT).
Cloudflare is a good shortlist candidate to protect cloud-native applications, especially for budget-constrained organizations that need bundled WAF and DDoS capabilities for their public-facing web applications, or for organizations willing to secure applications requiring demanding performance.
STRENGTHSCAUTIONSErgon Informatik
Ergon Informatik is a Niche Player. Its market presence is still limited to Europe. Its internationalization efforts do not yet provide the vendor with sufficient visibility. Its WAF appliance benefits from continual improvements, but Ergon still lacks a cloud-based WAF service offering.
Based in Zurich, Switzerland, Ergon Informatik currently employs 270 people, with a quarter of them focused on its Airlock Suite, which includes the Airlock WAF and an IAM solution.
Recent news includes a configuration staging feature, support for HTTP/2, automatic policy learning and integration with IBM Trusteer for fraud prevention.
Ergon Informatik is a viable shortlist candidate for enterprises in need of a WAF appliance, especially European organizations from the financial sector, or those looking for strong integration between WAF and access management.
STRENGTHSCAUTIONSF5
F5 moved from the Challengers to the Leaders quadrant. It remains one of the most frequently cited vendors in WAF appliance shortlists, and has made progress in cloud-based WAF service. Its renewed efforts in enhancing behavior-based anomaly detections appeals to security-conscious organizations.
F5 Networks (FFIV) is an application infrastructure vendor based in Seattle, Washington, with more than 4,400 employees. F5's WAF offering is a software module called Application Security Manager (ASM) for the F5 Big-IP ADC platform, often sold as a component of F5's bundle of services. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). Other F5 security modules include the Access Policy Manager (APM) module for integration with and/or enforcement of identity and access management (IAM), and WebSafe web fraud protection services. F5 also offers managed cloud-based WAF service and a DDoS scrubbing service (F5 Silverline).
Recent news includes the release of Silverline WAF Express, F5's lower-price-tier offering without managed services, and integration between its WAF and DDoS protection cloud services. Big-IP ASM v13 adds improved bot mitigation dashboards, hierarchical policy, better client fingerprinting, and automatic server application framework and language detection.
The vendor is a good shortlist candidate for WAF, especially for large organizations looking for scalable and flexible WAF appliances.
STRENGTHSCAUTIONSFortinet
Fortinet is a Challenger. Its solid investment in its WAF solution translates into continuous improvements. The vendor experiences better-than-WAF-market-average growth and has become more visible in enterprise shortlists.
Fortinet (FTNT) focuses on network security and network infrastructure. The vendor is headquartered in Sunnyvale, California, and has more than 4,600 employees, including approximately 1,000 R&D employees. The Fortinet portfolio includes a firewall (FortiGate), WAF (FortiWeb), an endpoint protection platform (FortiClient), ADC (FortiADC), SIEM (FortiSIEM), and a sandbox (FortiSandbox). The vendor remains most well-known for its FortiGate firewall, but FortiWeb has become its third-largest non-firewall-related product line, even if WAF R&D remains a relatively small portion of the total R&D team. FortiWeb is available as a physical or virtual (FortiWeb-VM) appliance, and on AWS and Azure IaaS platforms. FortiWeb subscriptions include IP reputation, antivirus, security signature updates, credential stuffing defense and cloud-based sandboxing (FortiSandbox).
In 2016, Fortinet acquired AccelOps; FortiSIEM emerged from this acquisition as part of Fortinet Security Fabric, the vendor's concept of integrating multiple security solutions. Other recent news from Fortinet includes new WAF hardware, an updated management interface, active-active clustering, HTTP/2 support and improved SQL injection detection.
Fortinet's existing customers, as well as organizations looking for a WAF appliance with good value and performance for the price, should include Fortinet's WAF in their competitive assessments.
FortiWeb's management interface is available in English, Chinese and Japanese.
STRENGTHSCAUTIONSImperva
Imperva is in the Leaders quadrant. The vendor competes and frequently wins on the basis of security features and innovation. Imperva can provide strong WAF functionality as a traditional appliance and cloud-based WAF service, but faces stronger competition for its cloud offering.
Based in Redwood Shores, California, Imperva (IMPV) is an application, database and file security vendor. SecureSphere is Imperva's WAF appliance, and Incapsula is its cloud-based WAF, which is delivered as a service. Imperva also has packages for security monitoring and offers managing service of the SecureSphere and Incapsula WAFs.
Both SecureSphere and Incapsula are deployed mostly in blocking mode. The SecureSphere WAF is available in seven physical and three virtual appliances, with two models each available for AWS and Microsoft Azure. Two models of physical and virtual appliances are also available for dedicated management. ThreatRadar is the family of add-on subscription services available for SecureSphere, available in five offerings: account takeover protection, reputation feed, bot protection, fraud prevention and community defense. Imperva Incapsula can be bundled with other services, including DDoS mitigation and CDN features.
Recent news includes the release of FlexProtect, which allows customers to deploy both SecureSphere and Incapsula with a single subscription, potentially providing more flexibility as customers move workloads to the public cloud. In addition, Imperva has announced enhancements to the Incapsula CDN and has made Incapsula available in the Azure marketplace. SecureSphere has added ThreatRadar Emergency Feed, which provides immediate access to zero-day discoveries, and has new support for HTTP/2 traffic.
Imperva is a good shortlist candidate for many organizations. High-security use cases in larger organizations are addressed with SecureSphere, and organizations that want a cloud-delivered solution to protect public facing web applications should consider Incapsula.
STRENGTHSCAUTIONSInstart Logic
Instart Logic is in the Visionaries quadrant. The vendor has quickly gained visibility in WAF shortlists to protect cloud-native web applications due its technology approach and regular release of new features.
Launched in 2010, Instart Logic is based in Palo Alto, California, and employs more than 200 employees. Its portfolio is composed of multiple subscriptions on top of its core CDN infrastructure, including a cloud-based WAF service and DDoS protection, released in 2014. The vendor's core marketing message for its WAF is about being "endpoint-aware," facilitated through a lightweight JavaScript agent (Nanovisor), which gets injected into HTTP traffic and analyzes some aspects of client-side web browser behavior. The vendor also provides performance optimization by dynamically optimizing web object and image delivery. Instart Logic offers rule tunings and 24/7 SOC as an option.
Recent news includes the release of managed services, a new business model for the CDN, better integration with AWS, and two new subscriptions, Bot Defense for bot mitigation and a semi-automated security rule service (Helios) that uses machine learning to generate suggested policies based on log analysis. Instart Logic continues to grow its data center infrastructure that, at the time of this writing, is composed of 36 points of presence, including 12 in North America, nine in Europe and seven in Asia.
Instart Logic is a good shortlist candidate for organizations that need to quickly protect cloud-native web applications with demanding performance requirements.
STRENGTHSCAUTIONSNSFOCUS
NSFOCUS is in the Niche Players quadrant. The vendor is a global player, but its WAF sales predominantly come from Chinese clients. Its WAF covers all the basic functionalities, but lacks sophistication for the most advanced use cases.
Based in Beijing, China, and Santa Clara, California, NSFOCUS is a network security vendor with more than 2,000 employees. Its offers IPS and DDoS protection solutions, in addition to WAF (WAF Series).
NSFOCUS has recently added IP reputation, three WAF virtual appliances, new physical appliances with SSL acceleration hardware and a REST API to manage its WAF.
NSFOCUS' WAF is a good contender for organizations in China and East Asia, and for the vendor's current customers in other countries where the vendor has local presence.
STRENGTHSCAUTIONSPenta Security Systems
Penta Security Systems is in the Niche Players quadrant. The vendor has a faithful base of customers, and its international expansion in Asian countries is promising.
Penta Security Systems is based in Seoul, Republic of Korea, and has 220 employees. Its product portfolio includes WAFs (Wapples appliances and Cloudbric cloud-based WAF service), a database encryption platform (D'Amo) and authentication/SSO (ISign+). Penta Security emphasizes Wapples' "logic detection" technology, which does not require regular signature updates.
Recent corporate and WAF news from Penta Security includes Wapples version 5.0, with a change in operating system; support for TLS 1.2 and new centralized management solution.
Penta Security Systems is a good choice for organizations looking for an easy-to-operate WAF, and especially for organizations in East Asia.
STRENGTHSCAUTIONSPositive Technologies
Positive Technologies is in the Visionaries quadrant. The vendor's investments in sales and marketing have not yet translated into global visibility. Its WAF appliance continues to attract new customers based on its strong anomaly detection capabilities.
Positive Technologies is co-headquartered in Moscow, London and Boston, and has more than 700 employees. The vendor's main product lines are MaxPatrol, a vulnerability management solution, and PT Application Inspector, which combines static, dynamic and interactive code analysis techniques. Positive Technologies' WAF (PT Application Firewall, or PT AF) product was initiated in 2013. It is currently available as a dedicated appliance, as a software version that can run on a third-party appliance and as a virtual machine that is predominantly installed on-premises.
In 2016, Positive Technologies introduced a few new appliance models for SMBs. Recent feature releases include user tracking, integration with Check Point Software Technologies' firewall and a new transparent proxy deployment option.
Organizations that are looking for high-security WAF appliances should consider adding Positive Technologies to their shortlists.
STRENGTHSCAUTIONSRadware
Radware moved from the Niche Players to the Visionaries quadrant. The vendor has strong market understanding, and its pace of innovation is accelerating. It is increasingly relevant for security managers who add cloud-based WAF service solutions and look for solutions to manage hybrid delivery models. However, Radware does not appear in enterprise shortlists as frequently as some competitors.
Radware (RDWR) is an application delivery and security vendor co-headquartered in Tel Aviv, Israel and Mahwah, New Jersey. Its main product is its ADC, called Alteon. Its security solutions include a DDoS mitigation appliance (DefensePro), a DDoS protection virtual appliance (DefenseFlow), a cloud-based DDoS mitigation service (Cloud DDoS Protection) and a WAF (AppWall), which can be purchased individually or bundled together in Radware's Attack Mitigation Service (AMS) offering. AppWall may be deployed as a physical or virtual appliance, as a module on top of Radware's ADC appliance (Alteon). AppWall is also available as a vendor-managed cloud-based WAF service (called Cloud WAF Service), based on the same technology than the AppWall appliance.
Recent announcements include the acquisition of Seculert, which adds machine learning, big data analytics and sandboxing capabilities to the Radware portfolio, and also enhances Radware's malware detection capabilities. Radware also announced a partnership to provide security services, including Radware Cloud WAF Service, to Chinese Tencent cloud customers. One of the significant features released during the evaluation period is DefenseMessaging, which enables Radware WAF customers with Radware's DDoS products to use AppWall to signal an attacker's source IP information to DefensePro DDoS to prevent further malicious activity.
Radware is a good shortlist candidate for most organizations, especially those that desire strong positive security and wish to deploy the same security levels across hybrid environments. Prospective customers should still verify the efficacy of the solutions for their environments, using third-party or in-house skilled security staff.
STRENGTHSCAUTIONSRohde & Schwarz Cybersecurity (DenyAll)
Rohde & Schwarz Cybersecurity is in the Niche Players quadrant. Its approach to WAF management is praised by its customers, and the vendor bundles several innovations in its core platform to improve efficacy of the detection and avoid false positives. The vendor has limited market reach outside of Western Europe and grows below market average, and its cloud-based WAF service offering is not fully mature yet.
Rohde & Schwarz Cybersecurity is a Germany-based electronics group. The vendor has acquired several vendors to build its cybersecurity division. It has more than 500 employees, including 90 in the DenyAll business unit, resulting from the acquisition in 2017 of DenyAll, a French vendor. DenyAll operates as an independent entity. In addition to DenyAll web application security products, Rohde & Schwarz Cybersecurity's portfolio includes a multifunction firewall product line (following the acquisition of gateprotect in 2014), endpoint security and encryption management products.
A key concept in the DenyAll WAF is the use of graphical workflow to configure traffic processing and inspection. Workflow view is a diagram, where administrators can drag and drop controls, response modification and other actions. The DenyAll WAF is available on AWS and Microsoft Azure. Cloud Protector is the cloud-based WAF service solution.
In addition to the DenyAll acquisition, recent news includes the release of versions 6.3 and 6.4, with the addition of three new security engines from legacy DenyAll rWeb, a new log management stack and integration of HSM.
Rohde & Schwarz Cybersecurity is a good shortlist contender for organizations looking for a WAF appliance, combining ease of use and in-depth security features, especially those located in Europe.
STRENGTHSCAUTIONSVenustech
Venustech is in the Niche Players quadrant. Its WAF sales are limited to China, and the vendor has not tackled international markets yet. Its WAF technology covers all the basics, but offers limited integrations.
Venustech is a well-known security brand in China. The vendor is headquartered in Beijing, China, and has more than 3,000 employees. The vendor also offers penetration testing services.
Recent news includes WAF virtual appliances and large physical appliances, geo-IP blocking, and improvements against evasion techniques.
Venustech is a good shortlist candidate for existing Venustech clients in China and Japan.
STRENGTHSCAUTIONSVendors Added and Dropped
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
AddedDroppedInclusion and Exclusion Criteria
WAF vendors that meet Gartner's market definition/description are considered for this Magic Quadrant under the following conditions:
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including A10 Networks, Alert Logic, Array Networks, Beijing Chaitin Technology, Brocade, DBAppSecurity, DB Networks, ditno., Indusface, Kemp Technologies, Limelight, Microsoft, ModSecurity, Nginx, Piolink, Qualys, Sangfor, SiteLock, Sucuri, Verizon, Wallarm and Zenedge.
The adjacent markets focusing on web application security continue to be innovative. This includes the RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, or take an alternative approach to web application security. Examples include Cleafy, Distil Networks, Signal Sciences and Shape Security.
Evaluation Criteria
Ability to ExecuteTable 1.   Ability to Execute Evaluation Criteria
Evaluation Criteria
Weighting

Product or Service
High

Overall Viability
Medium

Sales Execution/Pricing
Medium

Market Responsiveness/Record
High

Marketing Execution
Medium

Customer Experience
High

Operations
Medium

Source: Gartner (August 2017)
Completeness of VisionTable 2.   Completeness of Vision Evaluation Criteria
Evaluation Criteria
Weighting

Market Understanding
High

Marketing Strategy
Medium

Sales Strategy
Low

Offering (Product) Strategy
High

Business Model
Medium

Vertical/Industry Strategy
Low

Innovation
High

Geographic Strategy
Medium

Source: Gartner (August 2017)
Quadrant DescriptionsLeaders
The Leaders quadrant contains vendors that have the ability to shape the market by introducing additional capabilities in their offerings, raising awareness of the importance of those features and being the first to do so. They also meet the enterprise requirements for the different use cases of web application security.
We expect Leaders to have strong market share and steady growth, but these alone are not sufficient. Key capabilities for Leaders in the WAF market are to ensure higher security and smooth integration in the web application environment. They also include advanced web application behavior learning; a superior ability to block common threats (such as SQLi, XSS and CSRF), protect custom web applications and avoid evasion techniques; and strong deployment, management, real-time monitoring and extensive reporting. They should also provide and regularly improve DDoS and bot mitigation capabilities. In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements and evolution in web applications that will require paradigm changes.
Challengers
Challengers in this market are vendors that have achieved a sound customer base, but they are not leading on security features. Many Challengers leverage existing clients from other markets to sell their WAF technology, rather than competing with products to win deals. A Challenger may also be well-positioned and have good market share in a specific segment of the WAF market, but does not address (and may not be interested in addressing) the entire market.
Visionaries
The Visionaries quadrant is composed of vendors that have provided key innovative elements to answer web application security concerns. They devote more resources on security features that help protecting critical business applications against targeted attacks. However, they lack the capability to influence a large portion of the market, they haven't expanded their sales and support capabilities on a global basis, or they lack the funding to execute with the same capabilities as vendors in the Leaders and Challengers quadrants. Visionaries also have a smaller presence in the WAF market, as measured by installed base, revenue size or growth, or by smaller overall company size or long-term viability.
Niche Players
The Niche Players quadrant is composed primarily of smaller vendors that provide WAF technology that is a good match for specific WAF use cases (such as PCI compliance), or vendors that have a limited geographic reach. The WAF market includes several European and Asian vendors that serve clients in their regions well, with local support and an ability to quickly adapt their roadmaps to specific needs; however, they do not sell outside their home countries or regions. Many Niche Players, even when making large-scale products, offer features that would suit only SMB and smaller enterprises' needs.
Niche Players may also have a small installed base, or may be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investments or capabilities, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on a vendor's value in the more narrowly focused service spectrum.
Context
Gartner generally recommends that client organizations consider products from vendors in every quadrant of this Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the WAF market, which includes a large number of relatively small vendors, or larger vendors, but with a small share of their revenue coming from their WAF offerings. Product selection decisions should be driven by organization-specific requirements in areas such as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposures of business-critical and custom web applications, and the vendor's local support and market understanding.
Security managers who are considering WAF deployments should first define their deployment constraints, especially:
For more information on WAF technology selection and deployment challenges, see "Web Application Firewalls Are Worth the Investment for Enterprises."
Market Overview
Gartner estimates that the WAF market totaled about $626 million in 2016, representing a growth of 21.3% compared to 2015. The Americas represent 43% of the total market, EMEA accounts for 27% of the market and the Asia/Pacific region accounts for 29%.
WAF Market Trends
Gartner has observed three big trends in the WAF market:
2018 could mark a tipping point in the WAF market evolution, as the growth of cloud-based WAF service now manages to support the global market, despite declining appliance revenue.
The complexity of large-scale deployment is a competitive disadvantage against cloud services, but broader choice in vendors, plus the perceived security of on-premises deployment, currently give appliances and virtual appliances an advantage in enterprise client evaluations.
The Future of WAF Could Be Healthy
Based on Gartner's customer research survey (which aligns with Gartner inquiry; see Note 1), the most common applications protected by a WAF include:
The potential for future growth of the WAF market is still there. According to participants in Gartner's recent survey on web application security (see Note 2), WAF remains the most frequently used security control to protect web applications (84%), followed by enterprise IPS (61%) and use of application security testing (58%). Large enterprises might classify their public-facing web applications in tiers, where the most business-critical applications (Tier 1) require more stringent security controls and benefit from larger budgets, whereas other applications (Tiers 2 and 3) are more likely to suffer from constrained security budgets and resources. Gartner analysts more rarely see WAFs deployed in front of internal web applications.
When asked to rank their top-three most effective technologies and processes to protect enterprise web applications, WAF comes in first position (73%), followed by application security testing (53%). Industry reports, such as Verizon Data Breach Investigations Reports, continue to highlight the pattern of attacking web applications as the most prevalent entry point for data breaches, increasing general awareness of web application security risks in the market. 1
But WAF Is Shifting From Physical Appliance to Cloud-Based WAF Service
When looking forward, the future is not as bright for WAF appliances. Still, WAF generally does poorly against the use of stolen credentials, which is the No. 1 attack technique against web applications, involved in a third of the identified breaches. 1
A growing number of remotely hosted applications and improvements in security controls offered by cloud-based WAF service vendors reduce the advantage that WAF appliances once had.
In Gartner's enterprise application security study, participant's most commonly used deployment methodology for enterprise web applications remains on-premises (51%), with other options closing in: private cloud already accounts for 26%, IaaS for 16% and SaaS for 7% (see Note 2). Development methodologies are changing, too. A growing number of applications are developed leveraging agile methodologies (see Note 3). Sixty percent of survey participants are commonly using agile methodology for mobile application back-end development. This is also confirmed by Gartner's recent DevOps survey with IT professionals, in which only 28% of surveyed organizations have no plans to use DevOps.
Internal factors aggravating the decline of WAF appliances include the lack of innovation in this space. Some vendors are trying to divide their research and development resources to update the legacy appliance technology to support the more recent standards (HTTP 2.0, JSON payload analysis), while launching a cloud-based WAF service initiative.
One of the most frequent challenges reported by clients about WAF appliance is the deployment and operational workload. When participating value-added resellers were asked about future scenarios for WAF (see Note 1), 60% of the resellers noted they are very likely to sell more WAF cloud services than today, and 54% say they are very likely to sell more managed services for WAF technology. During Gartner client inquiries, security managers confirm increased interest in cloud-based WAF service, frequently as a way to reduce workload related to WAF deployment and operations. They like the idea of using managed services, but express concerns about the related costs and about the complexity of dealing with multiple managed security service providers.
Gartner application security leaders report frustration over the fragmentation of the web application security space. Cloud-based WAF service is one of the potential solutions to these challenges, as they can be easier to deploy, often bundle several of these features together in a subscription-based business model and are catching up in terms of security efficacy.
Newer use cases like mobile application security and the nascent Internet of Things are excellent fits for cloud-based WAF services. But IoT, single-page and mobile applications have a lot of the application intelligence in the client. WAF won't grow in these areas if it does not evolve its approach.
Cloud-based WAF service offerings will face growing competition from specialized vendors, such as Distil Networks and Shape Security for bot mitigation. It will also compete with alternate approaches to exploit detection and/or protection from new vendors, such as Signal Sciences.
Evidence
1 Verizon 2017 Data Breach Investigations Report:
Figure 33: Web app attack is the most prevalent attack vector involved in data breaches (29.5%).
Figure 52: Use of stolen credential: used in 33% of breaches, excluding botnet.
Note 1
Customer and Reseller Survey
In addition to hundreds of end-user inquiries about firewall that Gartner analysts conduct every year, Gartner surveys its clients as well as end-user references and reseller references submitted by vendors.
In March 2017, Gartner surveyed 79 resellers currently actively selling web application firewalls as a part of their portfolio: 87% of the resellers have been reselling WAF for more than a year, and 36% for more than five years; 54% of the surveyed resellers sell more than one brand of WAF.
During the same period, 105 WAF end users were surveyed; 53% came from the Americas, 40% from EMEA and 34% from the Asia/Pacific region.
Note that the data shown in this report is included when self-reported data and other marketwide data seem to be aligned. End-user and customer survey data may be subject to self-reporting bias and do not necessarily reflect the market as a whole.
Note 2
Application Security Trends Study
Gartner's 2017 Application Security Trends Study was conducted via an online survey in January 2017 among Gartner Research Circle Members — a Gartner-managed panel composed of IT and business leaders. In all, 108 IT leaders with insight into their enterprise's web application security landscape participated.
Objectives: To understand the enterprise web application security landscape and to identify the trends organizations are facing in meeting their digital business objectives.
Note 3
Enterprise DevOps Survey
The Gartner Enterprise DevOps Survey Study was conducted via an online survey from 9 May 2016 to 13 May 2016 among Gartner Research Circle Members — a Gartner-managed panel composed of IT and business leaders.
Objectives: To learn how organizations are adopting DevOps as a means to accelerate enablement (that is, to go faster while improving quality). It also aims to inform on topics such as starting a DevOps approach, pitfalls to avoid, scaling efforts, integrating information security, pursuing this in a regulated environment and quantifying benefits.
In all, 252 IT and business leaders participated, with 95 members qualified by indicating they are already using DevOps.
Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.





欢迎光临 G.国王族 官方论坛-广州游戏资讯网 (http://bbs.gzgame.com.cn/) Powered by Discuz! X3.1