• Detection Capabilities

    • Common Threats

      An API should have built-in protection for common threats, such as OWASP Top 10 and OWASP API Security Top 10.

    • Virtual Patching

      Many organizations struggle to keep up with updates and patching new vulnerabilities. A WAF should offer virtual patching, which blocks attempts to exploit known vulnerabilities.

    • Regular Updates

      New vulnerabilities are discovered every day. A WAF’s database of known attacks should be regularly updated to provide up-to-date protection.

    • Account Takeover Protection

      Account takeover attacks (such as brute force password guessing or credential stuffing) are increasingly common. A WAF should automatically detect and block these attempted attacks.

    • Business Logic Attacks

      Some attacks (such as cookie tampering and directory traversal) target the business logic of an application. A WAF should detect and block attempts to exploit these attack vectors.

    • Identify traffic from datacenters, Tor, proxies

      A WAF should be able to correctly identify and report requests coming from known data centers (in contrast to requests coming from residential IP addresses), Tor exit points and proxy servers.

  • Supported Services

    • Websites and Web Applications

      A WAF should provide comprehensive protection for websites of any type. This includes single page applications (SPA), websites, and web applications.

    • Application Programming Interfaces (APIs)

      APIs are a growing and vital component of an organization’s digital infrastructure. A WAF should support common API protocols, including XML-based (like SOAP), JSON-based (like REST), GraphQL, and gRPC.

    • Serverless

      Serverless applications are growing in popularity. A WAF should be able to protect AWS Lambda, Azure Functions, and GCP Cloud Functions.

  • Deployment

    • Full Environment Support

      A WAF should be able to provide protection in any deployment environment. This includes public, private, hybrid, and multiple clouds, private data centers, Kubernetes clusters, and service-mesh.

    • Cloud-Native Deployment

      Organizations are increasingly moving their applications to the cloud. A WAF should be designed to operate in cloud environments and take advantage of the cloud deployment (e.g. to be deployed in Kubernetes as a sidecar proxy or Ingress controller).

    • Multi-Tenancy Support

      An organization may have multiple different sites (or multiple departments/subsidiaries) that it wants to protect against attacks. A WAF should offer multitenancy to enable multiple sites to be protected by a single solution with proper user permissions management capability.

  • Low Management overhead

    • Low False Positives:

      High false positive rates commonly drive WAF users to deploy solutions in passive/monitoring mode. A WAF should offer a low false positive rate to make production deployment usable

    • Signature-less attack detection capabilities.

      A signature-based WAF is typically more difficult to manage (add rules to avoid false positives) while keeping a high level of application protection. Your WAF should be able to block malicious requests without a need to manage signatures.

    • Auto-adjustment of security rules.

      per customer and per applications. A WAF should automatically learn the application structure and create necessary security rules

    • Managed SOC team.

      WAF solutions with vendor Cloud based monitoring & protection module should provide SOC capability to the customers as a part of subscription service.

  • Scalability

    • Multi-region/multi-cloud deployment.

      Users should be able to deploy it to any Public Cloud like AWS, Azure or GCP.

    • Native integration with popular web server software.

      A WAF should support a module-based integration in your existing NGINX load balancer.

    • Scales with Clusters (horizontal scaling).

      It should be easy to deploy an auto scaling cluster of WAF nodes using provided Terraform automation code.

  • API Protection

    • API Protection for modern APIs

      built on the modern tech stack and using REST, SOAP, gRPC, GraphQL, WebSocket.

    • API Abuse Protection
    • Protection without a provided API schema.

      A WAF should be able to automatically protect API endpoints without a need for the user to provide API schema definitions.

  • Observability

    • Understandable, Informative, Customizable Dashboards:

      An organization’s security team needs to be able to easily determine the current status of its web security and respond to potential threats. A WAF should offer a web-based user-friendly dashboard to maximize the effectiveness of an organization’s security team.

    • Deep-dive on “why” of blocking.

      Give me a pcap.

  • Compliance and Reporting

    • Regulatory Compliance Support:

      Most organizations are subject to a number of different regulations with associated security and reporting requirements. A WAF should offer support for common regulations (like PCI DSS or GDPR) and enable users to easily collect data and generate reports for auditors or regulatory authorities.

    • Built-In Report Formats:

      An organization’s security team may need to generate reports for executives, auditors, etc. A WAFshould have integrated support for generating common reports.

    • SOC2 compliance:

      WAF vendors should meet SOC2 compliance requirements & have SOC2 certificate to meet customer standards and practices.

  • Usability

    • Easy Configuration and Updates:

      An organization needs to be able to easily configure its WAF to meet its unique business needs and install updates to take advantage of new features and functionality.

    • Ability to access WAF documentation:

      A WAF solution should provide a detailed documentation site about how to deploy and use the system.

  • Cost

    • Should be within the budget.

      Cyber Protection becomes a key part of IT infrastructure today & customers should be able to afford WAF protection relevant to their size & infra maturity level.

    • Clear pricing model.

      Many WAF vendors make pricing structure unclear & complicated, so customers are exposed to un-expected price increase with more traffic & usage. Ideally, WAF vendors should have a single trigger for price increases with predictable & transparent pricing model, so customers can plan ahead with their operations growth.

  • Integrations

    • Public API.

      A WAF should include a publicly-accessible API. This enables users to integrate it with a variety of different external solutions, such as log management with an ELK stack.

    • Webhooks:

      A WAF should incorporate support for webhooks - this enables the development of custom issue tracking and analytics platforms.

    • SIEM Integrations:

      A Security Information and Event Management (SIEM) solution is designed to provide security data aggregation and analytics. A WAF should have integrations for major SIEM platforms: Splunk, Sumo Logic, IBM QRadar.

    • DevOps Tool Integrations:

      Adoption of DevOps principles means that development teams need to be able to automate testing and deployment activities. A WAF should integrate into DevOps pipelines to enable rapid configuration updates. A WAF should have built-in integrations for major DevOps tools like PagerDuty and OpsGenie.

    • Messenger Integrations:

      Security teams need to rapidly respond to potential incidents. A WAF should include integration with common messaging platforms for instantaneous notifications: Slack & Microsoft Teams.

    • Smart notifications:

      WAF customers should be able to customise & set events notifications (also known as “Triggers”) including integrations with SIEM, DevOps & Messenger tools. Apart from notifications on events (like attacks), WAF Customers should be able to use “smart” blocking techniques & set quick action rules.

    • Metrics exposed.

      WAF nodes should provide helpful monitoring metrics in popular Prometheus format.

  • Active Checks / Vulnerability Scanner Capabilities

    • Integrated Vulnerability Detection.

      A WAF should automatically identify potential vulnerabilities within an organization’s applications. Detections should be based upon active/passive scanning, threat intelligence, and knowledge of public vulnerabilities.

    • Misconfiguration.

      A WAF should be capable of detecting and alerting on misconfigurations that impact the security or usability of an application or API.