This week marked the release of the first Gartner Web Application Firewalls Magic Quadrant. I’m very pleased to report that Imperva was named the only Leader in this quadrant, which is a rare thing in the world of magic quadrants. It’s taken a lot of people a lot of work to get Imperva here, and I’m very proud of everyone who has contributed to this over the years.
But even more pleasing than the vendor rating is what this means for WAF vendors’ ability to do good in the world. It may sound corny to say, but I come to work every day not just because it’s a job, but because I believe that what Imperva is doing is actually good for the world. We say we are “helping organizations fully realize the promise of a hyperconnected world.” What that means in less high-minded prose is that we protect organizations of all types from a variety of malicious hackers, fraudsters and other bad actors so that they can safely conduct business online. Like anything, online business has its plusses and minuses. But on balance, I believe it’s a positive, equalizing influence on the world.
One of the most frustrating things that happens to me is when an organization calls Imperva after they’ve been breached and when we go in to help out, we find out that they had been relying on a network security solution (either an Intrusion Prevention System or a Next Gen Firewall) to prevent web application attacks (almost always this is SQL Injection). We’ve even talked to organizations that have come to us only after their second breach to find out that their “solution” the first time around was to buy more of the IPS solution that didn’t stop the first breach. In every case I can recall, our WAF (and probably our competitor’s products, by the way) would have been able to stop the attack with a default policy.
Not long after I started at Imperva, I teamed up with colleagues from Teros (now a part of Citrix), Netcontinuum (now a part of Barracuda), and F5 to challenge the large network security players to prove their claims of protecting against web application attacks. We worked with the ICSA on a criteria set and test plan (which was the proto-type for the current ICSA WAF Certification). None of the network security players took us up on the challenge, preferring instead to encourage their customers’ mistaken belief that they would be protected. This was a disappointing reaction. Even worse, I think many security professionals disregarded our effort having been conditioned over time to be skeptical of vendor claims. The result has been that frustrating dynamic…getting called to come in after a breach that was easily preventable if the customer had just understood the difference between IPS or Next Gen Firewall and a Web Application Firewall.
So I see this quadrant as a possible antidote. Gartner is a third party and doesn’t have a vested interest in a WAF vs IPS and NGFW purchasing outcome, so their opinion is more easily accepted by security professionals. And Gartner has been consistent and clear on this point.
In a recent paper Web Application Firewalls Are Worth the Investment for Enterprises (Jeremy D'Hoinne, Adam Hils. Gartner, Inc., 28 February 2014) they wrote:
“Firewalls and intrusion prevention systems don't provide sufficient protections for most public-facing websites or internal business-critical and custom Web applications. Here, we explain how Web application firewalls help security leaders to better protect Web applications in their organizations.
And even in the 2014 Magic Quadrant for Enterprise Network Firewalls. (Greg Young, Adam Hils, and Jeremy D’Hoinne. Gartner, Inc., April 2014) they wrote:
“…Gartner does not see NGFW and WAF technologies converging because they are for different tasks at different placements.”
I’m hopeful that because of reports like these and this week’s magic quadrant, security professionals will begin to realize that their existing network security products don’t protect them from web application attacks. And instead of getting called in after the breach, Imperva and other WAF providers will be given the chance to protect organizations beforehand.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.