Blog Post View

Web application firewalls (WAF) are known as important components of enterprise cybersecurity postures. One of the fastest-growing segments of the cybersecurity industry, WAF is projected to grow at a CAGR of 16.7 percent for the next nine years.

Some parties, however, are raising questions about the effectiveness of web application firewalls as the threat landscape evolves. Qdrant DevOps engineer Mac Chaffee, for example, says that “WAFs have overstayed their welcome in the security toolbelt”. He points out some issues like the reduction of upload speeds, relatively low average number of requests per second, and high processing power consumption.

In this article, we’ll explore the role of the WAF in cybersecurity. The points raised here focus on its effectiveness as a defensive solution, its shortcomings, and complementary solutions to achieve holistic enterprise network protection.

The Purpose and Effectiveness of WAF

When it comes to your network security, what exactly is a WAF? Essentially, it’s a solution created to monitor data packets. It can be seen as a network-based appliance or a server plugin in the web host and a service provided through the cloud. It enables the filtering of data packets moving inward or outward. Web application firewalls are designed to protect against attacks such as cross-site scripting, SQL injection, file inclusion, and cross-site forgery.

The key goal of using WAF is the regulation of data exchanged during online interactions and digital transactions. Social media and mobile app operators use it to ensure the integrity of user data and prevent data leakage. Online banking and FinTech companies have it as a preventive tool against attempts to steal card data and other details related to online transactions.

Organizations with online operations also make use of WAFs as part of security policy enforcement and to prevent attacks that target security vulnerabilities in applications.

Is WAF effective for security? It does serve its intended purpose. WAF solutions have demonstrated effectiveness, but there are some caveats. Various cloud computing and content delivery network providers that offer WAFs have conducted studies on WAF effectiveness, and the consensus seems to be that new approaches are necessary to improve the way WAF works, given the evolving threat landscape.

It is worth noting that the different WAF solutions available at present appear to have a wide security performance spread. One study by Finnish firm Fraktal notes that the effectiveness of different solutions varies widely because different WAF products have different specializations or areas where they excel.

Moreover, the effectiveness of a WAF solution can also be relative as far as the software publishers using WAFs are concerned. There are studies showing that some organizations prefer to maximize their traffic even if it means that some attacks manage to penetrate. Users prefer to be in control over their traffic rather than lose significant traffic because of unmodifiable strict WAF filtering.

Addressable Limitations

WAF is known for its processing overhead drawback. Since it filters traffic, it entails additional processing requirements. This can slow down the performance of web applications, especially during traffic surges. The leading WAF providers address this issue by optimizing software design, implementing Just-in-Time compilation, the option for security policy fine-tuning, and advanced caching.

On the other hand, because they filter traffic based on defined rules, WAFs tend to be ineffective against zero-day attacks or those that have not been recorded in the threat database yet. This weakness is being addressed by the use of artificial intelligence to detect threats not only through threat signatures but also by analyzing activity patterns to spot anomalies or suspicious actions across networks.

Web application firewalls can also have issues when it comes to configuration challenges. Their settings are often relatively complex for inexperienced users. It is not uncommon for some to impose overly restrictive configurations that block significant volumes of legitimate traffic. Conversely, some have extremely loose configurations that make the WAF virtually useless.

Moreover, WAFs have a limited ability to defend against logic attacks. They also have difficulties in addressing API security gaps. These inadequacies are addressed by the introduction of supplemental functions or by packaging WAF as part of a broader cybersecurity solution.

Again, WAF works for its stated purpose, but this purpose is notably narrow. It focuses on HTTP or HTTPS traffic, which means it provides protection against data packet-based attacks aimed at web applications or websites but not for other potential attack surfaces. It is not enough to provide complete protection for an enterprise network. It does not secure endpoints, internal servers, and other IT resources.

Achieving Full Enterprise Network Protection

The doubts over the effectiveness or practicality of deploying a web application firewall in the current cybersecurity paradigm are not unfounded. There are legitimate criticisms over existing WAF solutions, especially the standalone WAF products. However, it would be unwise to totally dismiss WAF’s role in securing enterprise networks.

Web application firewalls can be upgraded with more functions to make them more effective in dealing with evolving threats. In addition to the upgrades mentioned above to resolve the limitations of conventional WAF, functions such as application profiling and correlation engines can also be added.

Application profiling refers to the analysis of an app’s structure to have a thorough understanding of what constitutes an unusual and potentially malicious request, making it possible for the WAF to block such threats.

Correlation engines facilitate the detection of threats through multiple information sources, including attack signatures and bespoke algorithms. They are comparable to the correlation mechanisms used in Security Information and Event Management (SIEM) to enhance the identification of threats.

Moreover, WAFs can be more practical if they are integrated into a broader cybersecurity platform that includes functions designed to boost their effectiveness and make up for the deficiencies. It makes sense not to spend unnecessarily on a separate web application firewall if its functions are already part of a cybersecurity solution that addresses other enterprise network threats. This solution can include API security, Runtime Application Self-Protection (RASP), advanced bot defense, as well as client-side security.

An Essential Component

To emphasize, WAF is not enough to secure the entire enterprise network. It is just one of the solutions needed to secure a specific aspect of networking. There are other fundamental security requirements such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Endpoint Detection and Response (EDR), encryption, Data Loss Prevention (DLP) systems, Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR).


A reputable WAF solution provides reliable protection against attacks through HTTP/HTTPS connections or those that target websites and web apps. Some may say that it is possible to do away with WAFs by implementing isolation and static analysis for the CI pipeline. However, a quality web application firewall is more convenient – even though gaining proficiency in its configuration may not be a walk in the park.

Share this post

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.

Login To Post Comment