WAFs are an integral part of an organization’s cybersecurity strategy – especially if data security is a top concern. Web application attacks are the most likely vector for a data breach attack and hence require adequate monitoring and protection. However, Not all organizations are pleased with their WAFs, as there are both good and bad WAFs, and other organizations may be hesitant to invest in a WAF.
One of the main reasons organizations may be unsatisfied with their WAF services is the total cost of ownership of the WAF service itself. In a recent Web Application Security research report, many WAF investors complained of its high cost and found staffing for WAF operation “cumbersome.”
According to the Ponemon Institute’s 2019 report on “The State of Web Application Firewalls,” organizations spend an average of $620,000 USD annually on their WAF services. So, many organizations may feel like they are not getting an ROI on their WAF systems.
A WAF is by no means an inexpensive security expense. Organizations that understand the value of web application security know that WAFs, in addition to pricing, also vary in ease of installation and use, sophistication, and performance. Even the most expensive WAFs may not be the best solutions as they may be missing features or provide inadequate threat detection and or protection. Yet, only 40% of organizations are satisfied with their WAF.
Pricing or total cost of ownership also comes down to the infrastructure you’re working and whether you’re deploying a hardware WAF, a cloud-based based WAF, or hybrid WAF. If you’re operating under a cloud environment, for example, you are not paying for any dedicated WAF hardware/appliance. Let’s take a look at some of the most common WAF pricing models breakdown.
Types of Web Application Firewall Pricing Models
Below are other ways in which WAF pricing may be calculated:
> Installment and upfront fees
- The upfront cost may include fees for either a physical or a virtual dedicated server.
> Licensing or subscription fees
- Based on throughput or traffic
- Based on the number of domains
- Based on the security rules/policies implemented (ex. AWS WAF)
> Additional incurred WAF costs
For some WAF vendors, there are additional charges for additional features or add-ons:
- Virtual patching
- Technical support
- Maintenance and system updates fees
- Added security solutions like DDoS protection, SSL certificates
- Added network features such as CDN, load balancing, etc.
In some cases, WAF is offered as a security add-on by website vulnerability scanners companies or CDN providers. However, investing in a WAF through this route means possibly limiting yourself with what the WAF can do in terms of capabilities.
Why the WAF pricing disparities?
Because a WAF may act as a reverse proxy, web traffic is usually rerouted first through your WAF of choice before reaching any of your sites. At the bare minimum, you expect legitimate visitors to be able to access your web applications without issues.
If your WAF were to block a legitimate visitor, then you’re not only risking losing business but also affecting your visitors’ experience. If the WAF performs inadequately, and your website goes offline due to a DDoS attack or if a cyber attack leads to data leakage, you’re also losing the trust of customers, prompt lawsuits, and possibly risk going under.
The problem with many commercial WAFs is that they are expensive, not always easy to use, and require maintenance and configuration. Therefore, companies must consider all this when they are evaluating the ROI of their WAF. For WAF maintenance and configuration, organizations must invest in the necessary resources and manpower.
In this scenario, if an organization is not fully equipped with a security specialist team to handle any out of box settings or configuration, then deploying a fully managed WAF makes sense. A fully managed WAF handles all the maintenance, configuration, and updates for the customer so that the WAF can run fully automated without the customer needing to do anything extra.
So you may be asking “What is the ROI I am getting if I invest in a WAF?” Many organizations operate under the assumption that they will not be the target of an attack. Hackers make no distinction between big or small organizations; SMBs are just as likely to get hit with a cyberattack and often are. In the same Ponemon Institute report referenced above, 86% of WAF users experienced application-layer attacks in the last 12 months.
It’s why preventive and proactive measures against cyberattacks are important. However, many organizations wait until they are attacked to invest in a WAF. So for those organizations that want to take a protective approach to their security, below are the many questions you should when weighing the pros and cons of investing in a WAF solution:
- On average how many hacking attempts are you getting on a weekly basis?
- How many of those require manual analysis?
- How many hours do you spend trying to identify and solve each issue?
- How much revenue are you losing when current or potential customers/leads leave if your web applications (i.e. websites) are offline due to an attack?
- How many customers do you currently serve reliant on these web applications?
- What is the average revenue brought in per customer?
- Do you currently have a security specialist team? What are their hourly rates?
While the above does not provide a comprehensive assessment for WAF ROI, it’s a great starting point for any organization that is seriously looking into investing in a WAF. Many times, organizations will have no point of reference for what they should ask their security teams to calculate the ROI.
Some clients may directly tie ROI with the WAF’s ability to detect web application attacks and learn security policies dynamically too. Let’s explore that in the next blog!