Security Controls in the US Enterprise: Web Application Firewall

Security Controls in the US Enterprise: Web Application Firewall


Jason Pappalexis, John Whetstone, Will Fisher, Mike Spanbauer



Web application firewalls (WAFs) are used to protect web applications against a range of attack types, such as cross-site scripting (CSS), SQL injection, and buffer overflows. WAFs protect companies that do business on the web from data breaches, which can put consumers at risk for fraud and lead to loss of customer confidence, both of which can directly impact revenue. To maintain PCI DSS compliance, companies must either assess and resolve Internet-facing application vulnerabilities, or deploy a WAF.



  • Product scope, alternatives, deployment, and purchase authority
  • Metrics on product use within the enterprise
  • Who manages WAFs? (breakdown by organization size)
  • Who uses API controls? (breakdown by organization size)
  • Enterprise challenges



Part of a series on security controls deployed by US enterprises, this brief includes current usage statistics for WAFs within small and medium-sized enterprises (SMEs), large enterprises (LEs), and very large enterprises (VLEs).?

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.