weixin_34090562

Gartner 2018 年WAF魔力象限报告：云WAF持续增长，Bot管理与API安全拥有未来

来源 https://www.freebuf.com/articles/paper/184903.html

AngelaY 2018-09-19 *AngelaY 编译整理，转载请注明来自 FreeBuf.COM

8 月 29 日，Gartner 发布 2018 年度 Web 应用防火墙（WAF）魔力象限，这是 Gartner 自 2014 年之后连续第五年发布此类报告。报告中照例描述了全球 WAF 市场整体状况，并对主要 WAF 厂商进行了详细的优缺点分析。今年 Gartner 的评判标准有所提高，并对未来 WAF 市场的趋势做出了新的预测。

本份报告依旧为为企业安全团队提供了参考，可用于评估 WAF 如何在满足数据隐私需求的情况下，为企业提供易于使用和管理的安全服务。

近年来，企业纷纷采取云 WAF 服务来保护自己的业务安全，带动 WAF 市场的不断增长。2017 年的 Gartner WAF 魔力象限所得出的结论是云 WAF 将替代物理设备成为主流，这一结论在 2018 年 Gartner WAF 魔力象限报告中得到了验证。

战略规划展望

到 2020 年，独立的 WAF 硬件设备在新部署的 WAF 中所占的比例将不到 20%，明显低于目前的 35%。

到 2023 年，30% 以上面向公众的 Web应用将受到云 Web 应用和 API 保护（WAAP）服务的保护，与目前的 10% 相比将有巨大提升。分布式拒绝服务（DDoS）防御、bot 环节服务、API 保护和 WAF 等功能，可以为 Web 应用提供更好的安全保护。

WAF 市场现状

客户对于保护公共和内部 Web 应用的需求推动了 WAF 市场。 WAF 可保护 Web 应用和 API 远离自动化攻击（机器人程序）、注入攻击和应用层拒绝服务（DoS）等多种攻击。合格的 WAF 不仅提供基于特征的防护，还应支持主动安全模型（自动白名单）及/或异常检测。

WAF 通常部署在 Web 服务器的前端，旨在保护 Web 应用远离内部和外部的攻击、监控 Web 应用的访问，同时收集访问日志用于合规/审计和分析。WAF 通常以物理或虚拟设备的形式存在，现在已经逐渐通过云 WAF 服务的方式交付。WAF 最常以反向代理的方式进行嵌入式部署，因为以往反向代理是执行深入检测的唯一途径。目前，WAF 还可以采用其他部署模式。当前形势下，云 WAF 服务的兴起、有意设置反向代理来执行任务以及采用更新颖的需要解密嵌入式流量拦截（中间人攻击）的传输层安全（TLS）套件等都加大了反向代理的使用。

云WAF 服务将由云交付的 XX即服务部署与订阅模式结合起来。云WAF服务提供商可以提供托管服务；对于一些客户来说，它是使用 WAF的必备组件。一些供应商选择利用现有的 WAF 解决方案，将其重新包装成 SaaS。这使得供应商能够更快地向客户提供云 WAF 服务，而且可以利用现有功能，有别于功能特性相对有限的云原生 WAF 服务产品。这种方法的一个难点是简化管理和监控控制台，继承全面的 WAF 设备功能特性，以满足客户对易用性的期望，又不缩小安全范围。Gartner 将云 Web 应用和 API保护（云 WAAP）服务定义为现有云 WAF 服务的演进。从长远来看，云 WAF 服务一开始就采用多租户模式、以云为中心，避免了花高昂的成本来维护遗留代码。它们还提供竞争优势，更快的发布周期，迅速实施创新的功能。一些企业使用由 WAF 设备构建的云 WAF 服务，这么做是为了获得统一的管理和报告控制台。

该魔力象限包括部署在 Web 应用程序外部而不直接集成到 Web 服务器上的 WAF：

专用的物理、虚拟或软件设备；

嵌入在应用交付控制器（ADC）中的WAF模块；

云 WAF 服务，包括嵌入在较大云平台中的 WAF 模块（比如内容交付网络，CDN），以及直接从基础设施即服务（IaaS）平台交付的云 WAF 服务；

IaaS平台上提供的虚拟设备，以及来自 IaaS 提供商的 WAF 解决方案。

API网关、bot 管理（包括恶意 bot 防范和善意 bot 白名单机制）以及 RASP 可以算是 WAF 服务的竞品，可能会与 WAF 服务争夺客户。这可以激励 WAF 厂商在合适的时机为 WAF 服务增添竞品的功能。例如，基于云的 WAF 服务可以将 Web 应用安全和 DDoS 防护及 CDN 结合在一起。WAF 能够与安全测试（AST）、Web 访问管理（WAM）或安全信息和事件管理（SIEM）等其他企业安全技术结相合，这一特点让 WAF 在市场上占据上风。WAF 与 ADC、CDN 或 DDoS 防护云服务等其他技术结合，既能带来优势也能带来挑战。然而，说到 Web 应用安全，市场评估更侧重于顾客的安全需求。因而，WAF 技术在以下几方面的表现就比较重要：

尽量提高已知和未知威胁的检测率和捕获率；

尽量减少虚假警报（误报），并灵活适应不断发展的 Web 应用；

可区别自动化流量和人类用户，并对这两类流量实施适当的控制；

借助易于使用和影响最小的优点，促进 WAF 得到更广泛的应用；

实现事件响应工作流程自动化，帮助 Web 应用安全分析员高效工作；

不光保护内部使用的 Web 应用和 API，还保护面向公众的 Web 应用和 API；

Gartner 充分利用通用特征规则集，认真分析了这些功能和创新技术，检测它们提升 Web 应用安全的功效。这些功能和技术的效果超出了网络防火墙、入侵检测系统（IPS）以及开源/免费 WAF（如 ModSecurity）等通过利用普通签名规则集所达到的安保效果。

Gartner加强了入围今年 Web 应用防火墙魔力象限的标准，体现企业在选择 WAF 提供商时不断变化的要求。经过更新的标准包括要求厂商在本埠之外的区域有最基本的收入，因此一些本地厂商被排除在外。

魔力象限

图1 WAF 魔力象限 2018

图2 WAF 魔力象限 2017

今年的 WAF 魔力象限如上图所示，其中：

处于 Leader 象限的厂商有： Akamai、Imperva；

处于 Challenger 象限的厂商有：F5、Fortinet、Cloudflare、Citrix、Barracuda Networks；

处于 Niche Players 象限的厂商有：Instart、Amazon Web Services、Rohde & Schwarz Cybersecurity、Ergon Informatik、Microsoft；

处于 Visionarie 象限的厂商的有：Oracle 和 Radwarea

厂商增减

2018 年，Gartner 更新了魔力象限准入标准，以便反应企业更真实更迫切的需求。其中一项要求就是厂商要在本埠之外也有客户群。Gartner 观察到越来越多的小型供应商在本地区与开展业务，更多的 CDN 和 ADC 供应商将 WAF 作为一项功能添加到产品或服务当中。为了反映全球 WAF 需求方的更严格要求，本次魔力象限包要求 WAF 供应商必须有超过 5％的客户群位于其本国区域之外，这个标准值得注意。

由于标准有所变化，本年度的 WAF 魔力象限中的厂商也有所增减。

新增的厂商有：

Microsoft (Azure)

Oracle (收购了 Zenedge)

相较去年未上榜的厂商有：

NSFOCUS

Penta Security

Positive Technologies

Venustech

此外，F5 从 2017 年的 Leaders 象限跌到了 Challenger 的象限。

Gartner 关于 Leaders 象限的 Imperva 以及 Akamai 的简介与评估如下，相关厂商可以用于参考。

Imperva

Imperva 是一家应用程序、数据库和文件安全供应商，其产品组合包括数据库安全产品（SecureSphere Data Protection 和 Database Audit and CounterBreach），WAF 设备（SecureSphere WAF）和云 WAF 服务（Incapsula）。 Imperva 还提供托管安全服务和托管 SOC。

Gartner 认为 Imperva 的优势首先在于其营销策略。它不仅为具有内部部署和云托管应用程序组合的组织提供灵活的产品或服务搭配，还是少有的同时提供 WAF 设备和云 WAF 服务的供应商。同时，Imperva 还注重客户体验，在产品上搭载 ThreatRadar 的共享威胁情报，且不断更新改进。在地理战略上，Imperva 在大多数地区都提供产品和持续有效的支持，近期在亚太地区的表现尤为突出。

但值得注意的是，由于 Imperva 正在经历众多组织变革，因此其发布速度有所放缓，且市场响应能力需要加强。同时，客户对于其云 WAF 服务有更多的期待，如单点登录（SSO）以及更详细灵活的固定报告等。客户认为，当前 Imperva 的云 WAF 服务尚不能与其设备产品线涵盖的安全功能的深度和广度相匹配，且覆盖面不够广泛，部分产品定价较高。此外，高级功能对应的管理控制台依然复杂、跨站点和多域管理与报告有限等问题也是客户希望改进的问题。

Akamai

Akamai 是一家全球 CDN 提供商，有专门研究 Web 应用程序安全的团队。除了 WAF（Kona Site Defender）之外，Akamai 还提供其他安全服务，包括应用程序访问控制（企业应用程序访问）、托管 DDoS 清理服务（Prolexic）、API 网关（Akamai API网关）和 DNS 服务（快速 DNS）等。 Akamai 还提供精简版和低成本的 Kona Site Defender 版本，也就是 Web 应用防护（WAP）。

Gartner 认为 Akamai 的优势在于不断开发和改进其 Web应用程序安全解决方案，并不断发展威胁研究和安全运营中心（SOC）团队。在云服务方面，Akamai 提供广泛的产品组合，适用于需求不同的用户。Akamai 在北美和欧洲都有广泛的业务网，能够对其处理的整个流程自动分析和分类，为客户提供托管服务等，这些都收获了较好的口碑。

同时，值得注意的是，Akamai 的 WAF 服务仅仅通过云的方式提供，这就无形中少了很多不使用或不方便使用云安全解决方案的客户。此外，Akamai 的 WAF 服务定价相对较高且捆绑很多选项。其政策管理系统体验较差，且没有有效方法测试更新的规则，在安全自动化以及主动安全模型方面也有所欠缺。

报告背景

Gartner 认为，客户企业及组织应当结合自身情况，综合考虑每个象限中厂商，基于功能和实际需求来选择产品和服务。事实上，WAF 市场中有很多规模较小的供应商，或者供应商的 WAF 业务只占到所有业务的很小一部分。如果客户需要选择 WAF 产品或服务，还需要考虑到自身的特殊需求，如部署方式、部署规模、合规、机密业务泄露风险、客户 Web 应用以及厂商的本地支持和市场熟悉程度等。

考虑部署 WAF 的安全管理专家应当首先考虑自身的部署限制，尤其要考虑以下几个方面：

是否能接受在 Web 应用中全面部署反向代理类嵌入式 WAF，因为这类 WAF 有屏蔽功能；

考虑不同 WAF 交付（针对专用应用、CDN、ADC以及云服务等）的优势和不足（特定应用、CDN、ADC、云服务）

SSL 解密/重加密以及其他扩展需求

WAF 市场概览

据 Gartner 估计，2018 年 WAF 市场总值将达到 8 亿 5300 万美元，与 2017 年的 7 亿 6200 万美元相比增长了 11.9%。其中，美洲市场份额占总市场的 47.6% ，欧洲、中东、非洲三个地区总共占 31.2%，亚洲/太平洋地区占 21.2%，

随着越来越多的企业通过面向公众的应用程序（包括 API 驱动的移动或物联网应用程序）助力新的数字业务，Web 应用安全受到的重视日渐增加。根据 Verizon 的报告，网络应用程序是导致 2017 年数据泄露的头号攻击渠道。

Gartner 在与客户交流 WAF 使用情况时，发现有些客户会将 WAF 与网络防火墙上的应用程序控制功能（应用程序感知）相混淆。WAF 的主要优势和特点就在于防范企业开发的 Web 应用代码中“自己造成的”安全漏洞，同时防范现成的 Web 应用软件中的安全漏洞。如果不使用 WAF，那些主要用于防范已知 exploit 的其他技术将无法防范此类漏洞。此外，调查显示，针对这些企业 Web 应用的攻击大多数来自外部攻击者。

Gartner 发现需要部署云 WAF 服务和需要部署 WAF 设备的客户之间存在不同的期望：

寻求云 WAF 服务的组织通常期望服务附带多个捆绑功能（特别是DDoS保护，bot 管理和 CDN 等），而这些功能都能通过易于部署且易于操作的软件包实现。此外，他们也愈发需要更深入的安全控制以及更优化的配置选项粒度。但是，对他们而言，部署 WAF 通常需要很多时间，这给他们带来不少压力；

寻找 WAF 设备（物理和虚拟）的组织更有可能已经安装了 WAF 设备。他们对主动安全模型、高级安全功能以及 WAF 在事件响应工作流程中的集成提出了更高的期望。

WAF 市场趋势

Gartner 观察发现，WAF 市场有以下发展趋势：

来自 ADC 厂商的物理设备销量和 WAF 模块部署数量都在下降；同时，大部分厂商的销量都在经历下降，只有一些供应商在阅收入增加的推动下实现了缓慢的个位数增长；

云 WAF 服务继续稳步增长。目前，云 WAF 市场占整个 2017 年 WAF 市场的 35% 以上。最初就做云 WAF 解决方案的供应商相较于传统供应商具备更强的竞争力。在调查中，提供 WAF 服务的 IaaS 供应商依然处于初级阶段；

更多组织希望使用云 WAF“关注应用程序”；倾向于使用保守方法在本地和 IaaS 上使用相同 WAF 设备的组织也有增加的趋势。此外，多层战略已经纳入整体策略，从而激励人们实现更加统一的管理和报告。

云 WAF 服务更常用于面向公众的应用程序。云 WAF 设备的大规模部署过程很复杂，这仍然是云 WAF 的竞争劣势。 Web 应用程序策略可践行“混合方法”，使用与 WAF 设备最佳实践相同的 WAF 技术来保护内部部署和云托管资产。

此外，WAF 市场还面临相近技术的竞争，并且还更频繁地面临替代方法的挑战。包含传统 WAF 和 RASP 应用工具的解决方案、使用分析后端检测客户群攻击模式的方法、为各个传感器（例如Signal Sciences或tCell）提供更新等多种方式和方法，对于 WAF 而言都是挑战。

Bot 管理正在发展，API 安全性紧随其后

在过去几个月中，区分自动流量与人类客户的能力已成为 WAF 的一项更重要要求。 Bot 程序缓解和合理的僵尸处理已经成为通过审查的功能，WAF 供应商也正在调整产品，赋予产品更多功能。较大的企业针对专业供应商（如 Distil Networks、PerimeterX、Shape Security 和 Stealth Security 等）的 WAF 进行评估，以缓解僵尸攻击。传统的基于知名度检测和指纹控制的技术如今已经足够阻止低端和慢速高级僵尸，因此更多企业在其 RFP 中增加了行为分析的要求。 Gartner 预计 bot 管理（包括 bot 程序缓解和合理的僵尸处理）将成为不久的将来 WAF 评估所注重的核心功能。

API 安全性功能也将经历类似的发展，但目前对于这一功能的市场意识还不够高。此前，许多组织将 API 管理网关视为临时解决方案。Gartner 预测，到 2022 年，“API滥用将成为最常见的攻击媒介，导致企业 Web 应用程序出现数据泄露。”目前只有一些WAF 供应商提供基本的 API 安全功能，这一情况在未来会随着专业 API 安全厂商的出现而有所改善。

=====================================================================

Magic Quadrant for Web Application Firewalls

来源 https://www.gartner.com/doc/reprints?id=1-5ELTARA&ct=180904&st=sb

Published 29 August 2018 - ID G00340592 - 71 min read

The WAF market is growing, driven by the adoption of cloud WAF services. Enterprise security teams should use this research as part of their evaluations of how WAFs can provide improved security that’s easy to consume and manage, while respecting data privacy requirements.

Strategic Planning Assumptions

By 2020, stand-alone web application firewall (WAF) hardware appliances will represent fewer than 20% of new WAF deployments, which is a decrease from today’s 35%.

By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today.

Market Definition/Description

This document was revised on 3 September 2018. For more information, see the Corrections page.

The web application firewall (WAF) market is being driven by customers’ needs to protect public and internal web applications. WAFs protect web applications and APIs against a variety of attacks, including automated attacks (bots), injection attacks and application-layer denial of service (DoS). They should provide signature-based protection, and should also support positive security models (automated whitelisting) and/or anomaly detection.

WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs exist in the form of physical or virtual appliances, and, increasingly, are delivered from the cloud, as a service (cloud WAF service). WAFs are most often deployed in-line, as a reverse proxy, because, historically, that was the only way to perform some in-depth inspections. There are other deployment options. The rise of cloud WAF services, performing as reverse proxies by design, and the adoption of more-recent transport layer security (TLS) suites that require in-line traffic interception (man in the middle) to decrypt, have reinforced the use of reverse proxy.

Cloud WAF service combines a cloud-delivered as-a-service deployment with a subscription model. Cloud WAF service providers may offer a managed service, and, for some, it is a mandatory component of using the WAF. Some vendors have chosen to leverage their existing WAF solutions, repackaging them as SaaS. This enables vendors to have a cloud WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native WAF service offerings with a more limited feature set. One of the difficulties with this approach is simplifying the management and monitoring console, inherited from the comprehensive WAF appliance feature set to meet clients’ expectations for ease of use, without shrinking security coverage. Gartner defines cloud web application and API protection (cloud WAAP) services as the evolution of existing cloud WAF services (see “Defining Cloud Web Application and API Protection Services”). In the long term, cloud WAF services, which were built from the beginning to be multitenant and cloud-centric, avoid costly maintenance of legacy code. They also provide a competitive advantage, with faster release cycles and rapid implementation of innovative features. Some organizations consuming cloud WAF services built from WAF appliances do it to acquire a unified management and reporting console.

This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:

Purpose-built physical, virtual or software appliances
WAF modules embedded in application delivery controllers (ADCs; see “Magic Quadrant for Application Delivery Controllers”)
Cloud WAF service, including WAF modules embedded in larger cloud platforms, such as content delivery networks (CDNs), and cloud WAF services delivered directly from infrastructure as a service (IaaS) platform providers
Virtual appliances available on IaaS platforms, as well as WAF solutions from IaaS providers

API gateway, and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budgets. This motivates WAF vendors to add relevant features from these markets, when appropriate. For example, cloud WAF services often bundle web application security with DDoS protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), web access management (WAM), or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, such as ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer’s security needs when it comes to web application security. This includes how WAF technology:

Maximizes the detection and catch rate for known and unknown threats
Minimizes false alerts (false positives) and adapts to continually evolving web applications
Differentiates automated traffic from human users, and applies appropriate controls for both categories of traffic
Ensures broader adoption through ease of use and minimal performance impact
Automates incident response workflow to assist web application security analysts
Protects public-facing, as well as internally used, web applications and APIs

Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (e.g., ModSecurity) would do, by leveraging a rule set of generic signatures.

Gartner has strengthened this year’s inclusion criteria for the web application Magic Quadrant, to reflect enterprises’ changing expectations when selecting WAF providers (see Inclusion Criteria). Updated criteria include a requirement to get minimal revenue outside of a vendor’s home region, which led to the exclusion of some of the more local vendors.

Magic Quadrant

Figure 1. Magic Quadrant for Web Application Firewalls

Source: Gartner (August 2018)

Gartner 2018 年WAF魔力象限报告：云WAF持续增长，Bot管理与API安全拥有未来_第4张图片

Vendor Strengths and Cautions

Akamai

Akamai is in the Leaders quadrant. Clients looking for a cloud WAF service that can support web-scale applications and combine multiple web application security features often add Akamai to their shortlists when price sensitivity is low, especially when they already use Akamai as a CDN.

Akamai is a global CDN provider with headquarters in Cambridge, Massachusetts. It has more than 7,500 employees, with a growing team dedicated to web application security. In addition to its WAF (Kona Site Defender), Akamai offers additional security services, including application access control (Enterprise Application Access), managed DDoS scrubbing service (Prolexic), API gateway (Akamai API Gateway), and DNS services (Fast DNS). The WAF can be augmented with optional add-ons, including IP reputation, volumetric DDoS protection options, and two bot mitigation subscriptions (Bot Manager and Bot Manager Premier). Akamai also offers a trimmed-down, and lower-cost, version of Kona Site Defender, called Web Application Protector (WAP).

Recent news includes the release of Bot Manager Premier as a separate option, providing mouse and keyboard activity analysis, along with a mobile software development kit (SDK). Kona Site Defender has improved its management options for multiple applications, and has updated reporting and real-time analytic dashboards.

Kona Site Defender is a good shortlist candidate for all use cases in which WAF delivered from the cloud is acceptable, and low price is not the highest priority, especially for existing Akamai CDN customers.

Strengths

Product Strategy: Akamai demonstrates a sustained commitment to develop and improve its web application security solutions. The vendor also grows its threat research and security operations center (SOC) team at a good pace.
Product Offering: the broad portfolio of Akamai’s cloud services, appeals to organizations looking for an easy way to deploy controls in front of a diverse set of applications. Many customers using Kona Site Defender are using other services, especially the CDN.
Geographic Strategy: Akamai is a global infrastructure provider with especially strong presence in North America, and good visibility in European shortlists too.
Managed Services: Akamai offers professional services to help harden the security configuration of Kona Site Defender. It also provides a managed SOC, which can monitor incidents.
Capabilities: Akamai applies automated analytics and triage on the entire traffic it processes for clients to tune their signatures and gather threat intelligence to create new protections. It has released a first version of API security features that customers find promising.
Customer Experience: Customers using Akamai managed security services and customers using the WAP product cite a lower-than-expected rate of false alerts.

Cautions

Market Segmentation: Akamai’s WAF is available as a cloud service only. For organizations that are simply not comfortable with cloud security solutions, or where prospective clients’ assessments determine that compliance and regulatory restrictions limit its use, Akamai does not appear on client shortlists.
Pricing and Contracting: Akamai Kona is an expensive product, especially when bundling multiple options, such as Bot Manager subscriptions. Clients continue to cite pricing as a barrier. Gartner analysts have observed an increase in complaints from prospects, and from existing clients. Organizations frequently consider using a second WAF brand, because it would be too expensive for them to deploy Akamai’s solution. The less-expensive WAP solution has not yet fixed this issue.
Customer Experience: The most-vocal complaints from clients target the poor policy management system, which is leaving clients frustrated by a dated policy and no useful way to test the updated rules. They also would like to see more improvements in the monitoring and reporting, as well as improved notification options.
Technical Architecture: Akamai has historically lagged behind some of its competitors in security automation. It has published a first version of an API to manage Kona’s security configuration, which is still in beta.
Capabilities: Akamai lacks a positive security model, with the exception of its API protection module. Customers using WAP cannot use Bot Manager.

Amazon Web Services

Amazon Web Services (AWS) is in the Niche Players quadrant. It serves almost exclusively AWS clients, and invests significantly in continuous improvements to its WAF solution.

AWS is a subsidiary of Amazon, based in Seattle, Washington. It is a cloud-focused service provider. It offers a large portfolio of cloud workloads (EC2), online storage (S3, EBS and EFS), database, and artificial intelligence (AI) frameworks. Its security portfolio is not as well-known, but includes identity and access management (IAM; Cognito), managed threat detection (GuardDuty) and HSM (AWS Cloud HSM). AWS Shield provides managed DDoS protection, and its WAF product is simply called AWS WAF.

AWS WAF can be delivered through AWS Application Load Balancer or through Amazon CloudFront as part of the CDN solution. AWS WAF is not limited to protecting origin servers hosted on Amazon infrastructure. AWS also partners with WAF vendors and offers their solutions in the AWS marketplace.

In recent months, AWS has released managed rules, a feature that allows clients to deploy sets of rules managed by third-party WAF vendors. The vendor has also recently released AWS Firewall Manager, which allows it to centralize the deployment of WAF policies and managed rules set. Also, AWS Config, the vendor’s configuration monitoring service, can monitor AWS WAF rule sets (RuleGroup).

AWS customers looking for an easy way to add runtime protection in front of their applications hosted on AWS should consider deploying AWS WAF, especially when combined with AWS Shield, and with one, or multiple, set of managed rules.

Strengths

Capabilities: With managed rulesets, AWS customers have access to more than a dozen sets of rules from established WAF or managed security service (MSS) vendors that are automatically updated. Because they can deploy multiple rulesets simultaneously, it is easy, even if it comes at a cost, to provide multiple layers of defense, or to test multiple providers.
Customer Experience: Existing AWS customers appreciate being able to quickly deploy and enable AWS WAF. Customers give good scores to the autoscaling and built-in integration with Cloudfront.
Capabilities: AWS WAF helps organizations in a DevOps mode of operation with the full-featured APIs and CloudFormation automation. AWS customers can provision a set of WAF rules for each stack, or provision a set of WAF rules, and automate the association of those rules with a new stack.
Roadmap Execution: AWS continues to regularly improve its WAF, releasing relevant features to close existing gaps, such as the recent firewall manager, at the time they are announced.
Sales Execution: AWS WAF is integrated in AWS Shield Advanced. For customers not using AWS Shield Advanced, AWS charges per use for AWS WAF are based on how many rules customers deploy and how many web requests are inspected.

Cautions

Marketing Strategy: AWS WAF’s reach is mainly limited to AWS workload protection, where it competes with cloud WAF services and virtual appliances. As more clients consider a multicloud strategy, AWS WAF is less likely to be on WAF shortlists.
Capabilities: AWS WAF lacks bot detection techniques, relying on reputation-based controls. Customers need to deploy AWS API Gateway to get dedicated API security features, because AWS does not parse JavaScript Object Notation (JSON) or XML. The vendor does not offer managed SOC for AWS WAF as part of its SiteShield managed services offering. Its DDoS Response Team (DRT) focuses on DDoS response only.
Product Strategy: Despite numerous corporate security initiatives, the WAF product remains mostly a siloed product. The vendor does not yet have a dedicated threat research team to add new protections to the WAF. AWS WAF does not leverage AWS AI capabilities, the use of machine learning for web app security is built-in only for DDoS protection.
Customer Experience: Customers would like to be able to whitelist a specific rule from the managed ruleset. Currently, they can only disable the entire ruleset, and have trouble identifying why a rule was triggered.
Customer Experience: Clients cite logging and reporting as a weakness. They cannot get detailed logging, aggregated events and mention occasional delays in getting the logs. Some clients also request integration with SIEM.

Barracuda Networks

Barracuda Networks is in the Challengers quadrant. Barracuda has good visibility for its WAF deployment over IaaS, and for existing Barracuda customers, but focuses on catching up with market leaders.

Barracuda Networks (CUDA) is based in Campbell, California. Barracuda is a known brand in security and backup markets, especially for midsize enterprises. In addition to network firewalls, its product portfolio includes email security and a user awareness training tool (acquired from Phishline in January 2018). The vendor also offers DDoS protection. The vendor delivers its WAF line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and Google Cloud Platform (GCP) platforms.

In November 2017, Barracuda agreed to be acquired by private equity firm Thomas Bravo. The acquisition was completed in February 2018. Barracuda has recently released Barracuda WAF-as-a-Service, its self-service cloud WAF. This release follows its DDoS protection service (Barracuda Active DDoS Prevention Service). The vendor has improved its integration on Microsoft Azure for better scalability, and made its virtual appliances available on Google Cloud Platform. It has also worked on its ability to work with continuous integration tools, and has made significant updates of its management API, improving the ability for Barracuda WAF to be deployed programmatically.

Barracuda is a good shortlist contender for midsize enterprises and existing Barracuda customers. It offers interesting solutions for organizations in North America and Europe, developing a multicloud strategy.

Strengths

Offering Strategy: Barracuda remains one of the most visible WAFs on Microsoft Azure. Customers are then more likely to select Barracuda in multicloud strategy for unified management.
Pricing Strategy: Barracuda Cloud WAF as a Service includes DDoS protection at no additional charge.
Product Offering: With the release of the WAF appliance 1060, Barracuda now supports throughput as high as 10 Gbps.
Technical Support: Gartner clients across multiple regions give excellent scores to Barracuda’s customer support. Barracuda partners cite the vendor’s focus on customer satisfaction as the reason they choose to sell Barracuda WAF.
Capabilities: Barracuda’s offer of the free WAF add-on Vulnerability Remediation Service is attractive to Barracuda’s targeted small or midsize business (SMB) customers, which often lack the time, money and expertise to support an in-house application scanning program.

Cautions

Sales and Marketing Execution : Barracuda struggles to adapt to the multiplication of meaningful competitors. Its visibility in shortlists is shrinking, and the vendor has lost market share during the past 12 months.
Customer Experience: Many customers have complained about Barracuda’s WAF appliance user interface (UI). They cite a long learning curve, difficulties locating features buried in submenus and longer-than-necessary amounts of time spent updating the configuration.
Market Responsiveness: Barracuda has been late to the market in providing cloud WAF as a service. Prospects should scrutinize the vendor’s infrastructure and point-of-presence availability across regions, as well as investigate the vendor’s ability to meet enterprise-class SLAs for availability, because the solution remains a recent addition.
Capabilities: Despite recent improvements, Barracuda WAF lags behind the leaders in bot mitigation and advanced analytics for anomaly detection. Its predefined list of good bots is limited to a few search engines.
Capabilities: Barracuda WAF lacks access management features and support for Oauth.
Capabilities: Barracuda WAF lags behind the leaders in security monitoring. It lacks automated alert aggregation in the real-time log view, and users report that they would like to see more improvements.

Citrix

Citrix is in the Challengers quadrant. Most of Citrix sales for WAF are an add-on to an existing ADC deployment, but Citrix’s attach rate for the WAF option is lower than 50%. Gartner rarely sees Citrix participating in a pure-WAF competition with other vendors.

With more than 9,600 employees, Citrix (CTXS) is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. The vendor is co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida. The NetScaler ADC portfolio includes hardware (MPX), software (VPX), containerized (CPX) and multi-instance (SDX). All of those ADC options offer WAF (NetScaler AppFirewall) and Secure Sockets Layer (SSL) virtual private network (VPN) as modules. WAF is also available as a stand-alone product.

In 2017, Citrix introduced the Web App Firewall (initially called NetScaler Web App Security service) as its cloud WAF service, and refreshed its hardware product line.

NetScaler AppFirewall is a good choice for Citrix clients that value high-performance WAF appliances.

Strengths

Sales Execution: Citrix licenses its products and service through multichannel globally, which makes Citrix the No. 2 ranked ADC vendor (by revenue). This creates opportunities for selling a WAF module on top of its ADC appliances. Existing ADC and Citrix-based application customers like the tight integration of the AppFirewall module.
Capabilities: NetScaler’s ability to scale appeals to large organizations. NetScaler TLS’s decryption capabilities and integration with Thales and SafeNet hardware security modules (HSMs) are often key differentiators in prospect comparative testing.
Customer Experience: Customers score highly the support they receive from system integrators and service providers. They also praise improvements in API-driven manageability.
Customer Experience: Surveyed customers welcomed NetScaler management and analytics service (MAS), and give good scores to the Security Insight dashboards.

Cautions

Product Strategy: Citrix faces intense competition from many large and small vendors on its leading products. Acquisitions have been a significant part of its growth strategy. However, most of the recent acquisitions (CedexisInx, Norskale, Contrade and Unisdesk) have little to do with security and will take attention from innovating on the WAF technology.
Sales Execution: Citrix rarely competes in dedicated WAF deals, and its overall visibility has continued to decrease. The vendor mostly sells AppFirewall as an add-on to customers primarily interested in its ADC features, or in high-performance environments.
Technical Architecture: Most Citrix clients use NetScaler AppFirewall as a software option on top of an ADC physical appliance. Gartner rarely sees Citrix being deployed on IaaS, such as Amazon and Microsoft. Google Cloud is not supported.
Capabilities: AppFirewall does not include advanced bot mitigation and anomaly detection options.
Market Responsiveness: The pace of WAF features release on Netscaler has been slow for a few years now, except for TLS decryption-related capabilities. Although Citrix is only now catching up to its competitors in cloud WAF delivery, it has not gained visibility in shortlists against other cloud WAF vendors. Citrix cannot match competitors’ offerings, because it does not bundle CDN with its cloud WAF.
Customer Experience: Many customers would like better ways to handle false alerts (false positive rate). Citrix ability to block bots gets a low score. Clients would also like to see better documentation for the WAF advanced features.

Cloudflare

Cloudflare is in the Challengers quadrant. As more applications move to the cloud, and a growing number of organizations consider multicloud options, the appeal of Cloudflare’s bundled service continues to grow.

Headquartered in San Francisco, California, Cloudflare is growing quickly, with more than 700 employees. The vendor’s primary offering is a combination of DDoS protection and a CDN offering. Other products offered as a service include DNSSEC, Bot Mitigation, SSL, Rate Limiting and Orbit for securing Internet of Things (IoT) devices. Cloudflare stands out for its service delivery, which usually uses the self-service model, allowing its clients to make quick and easy configurations through wizards. Although Cloudflare’s brand is associated with its inexpensive service plans for consumers, the vendors have a sizable enterprise customer base, through a higher-priced custom Enterprise plan.

In recent months, Cloudflare announced changes promoting unlimited and unmetered DDoS protection for all of its customers. This can benefit clients by not punishing the customer for the amount, time and size of the DDoS attack. It also released a tunnel mode (Argo Tunnel), multiprotocol support (Spectrum) and some authentication brokering features, integrating with a number of identity providers (Cloudflare Access).

Cloudflare is a good shortlist candidate for internet-exposed applications in global organizations with customers in multiple regions that are concerned with the risk of DDoS attacks.

Strengths

Technical Architecture: Cloudflare is a provider with 15 Tbps capacity and 152 data centers worldwide. This infrastructure not only supports the high performance of the applications, it promotes a close-to-the-edge security protection capability.
Customer Experience: Customers typically score the ease of use and implementation of the WAF and DDoS solution highly. Customers also praise the vendor’s DDoS mitigation capabilities. Cloudflare has a large base of technically savvy individuals who use its solution for personal web applications, and then become internal sponsors when their organizations consider a cloud WAF.
Market Responsiveness: Cloudflare continually develops new capabilities related to better user experience in ease of use and implementation. Cloudflare has announced Spectrum, which is expanding DDoS protection beyond web servers to include other TCP-based services. The vendor also occasionally acquires technologies to more quickly serve new features, as they did when they acquired Neumob’s mobile SDK.
Capabilities: The recent addition of Cloudflare Workers enables customer to host web applications on Cloudflare’s infrastructure, which should appeal to smaller organizations. The vendor also provides an easy-to-reach, “I’m under attack” button. This automatically enables a set of protections, and is convenient for emergency reaction.
Capabilities: Cloudflare has recently released the ability to assign rules per uniform resource identifier (URI), improving its ability to provide more-granular control without damaging the security posture for the entire application. Its keyless SSL technology offers interesting support for customers that want to store their private keys on their preferred HSM solutions.
Geographic Strategy: Cloudflare is one of the few global providers with local points of presence in China.

Cautions

Market Segmentation: Cloudflare offers WAF as a cloud service only. For organizations with restrictions on cloud services, or in locations where the appetite for cloud services isn’t high (e.g., the Middle East and Asia regions), Cloudflare can’t address use cases that require on-premises physical or virtual appliances. The lack of WAF appliance might penalize them for the nascent hybrid web application deployment use cases (partly on-premises and partly cloud-hosted), where more-conservative organizations highly rank the ability to get unified management and reporting for the WAF solution.
Customer Experience: Many customers, especially the larger organizations, rated Cloudflare alert and reporting low. The vendor lacks an automated aggregation of alerts for faster incident triage. Some customers complain of occasional API instability, as well as a higher-than-expected frequency of local performance degradation.
Capabilities: Cloudflare’s management console presents restrictions on offering more-granular configuration capabilities, such as building custom-made rules. In addition, the management console’s role-based access shows its limits when users want to define the per-app role, or when auditing management actions.
Capabilities: Cloudflare still lags behind some of its competitors for bot management. It lacks an easy way to manage good bots. Despite a recent initiative to learn from the large amount of data the vendor processes, Captcha remains the most frequent technique Cloudflare uses to block bots. This hurts the user experience. The WAF also lacks an automated positive security model, which could prove useful, especially for high-risk pages or API-driven applications.
Product Strategy: Gartner observes thatCloudflare’s security roadmap appears to aim at good-enough security, with a focus on pervasive, commercial off-the-shelf (COTS) web applications (e.g., WordPress and Magento). Its web application security threat research team efforts are targeted at quick reaction in case of a new attack campaign. However, when it comes to using new protection techniques based on in-house threat research, the vendor is less proactive than its leading competitors.

Ergon Informatik

Ergon Informatik is a Niche Player. The vendor is mostly visible in Switzerland and Germany, with slow international developments in financial institutions from other countries. Ergon provides WAF appliance only. Its roadmap execution is primarily driven by incremental improvements.

Ergon Informatik is a software engineering and consulting company, headquartered in Zurich, Switerland, and it has 280 employees. The vendor has developed a full suite of products to serve existing clients. The product portfolio is centered around the Airlock Suite, which includes the Airlock WAF, a WAM solution (Airlock Login) and a more-comprehensive IAM solution (Airlock IAM).

Latest news includes the release of Airlock WAF 7.0, at the end of 2017, with the addition of Geo-IP, and automatic whitelisting learning. It has integrated Kibana for the reporting and real-time dashboards, and added support for more log formats, including JSON and Common Event Format (CEF).

Ergon Informatik is a contender worth considering for large banking and financial enterprises in need of a WAF appliance.

Strengths

Customer Experience: The vendor continues to get good feedback from faithful customers and resellers, who trust the company and praise its ability to be close to its clients. They almost always use the vendor’s IAM features and mention them as a differentiator.
Vertical Strategy: Ergon Informatik’s strongest presence is with banking and other financial institutions, where it can provide a large number of satisfied references.
Market Execution: Despite its smaller size, Ergon is a profitable company that enjoys growth at a rate that exceeds the WAF appliance market as a whole.
Customer Experience: Customers give good scores to Airlock WAF for its API security capabilities, and to the combination of access management features and content inspection on JSON and REST payloads.
Capabilities: The recent addition of geo-IP goes beyond blocking, and allows traffic to be redirected, based on the source’s region or country. Clients liked the real-time monitoring and logging upgrade, which provides the flexibility to build their own dashboards and advanced searches in log. Support for the CEF format improves the ability to integrate with SIEM vendors.
Capabilities: With the addition of automating whitelisting learning, Ergon Informatik now offers a comprehensive set of controls for positive security models, in addition to the already-available URL and cookie encryption features. It also provides predefined templates for known commercial applications, such as Microsoft Exchange.

Cautions

Product Strategy: Ergon is not a good choice for hybrid or cloud-native web applications. It does not offer cloud WAF or DDoS protection services, and has not shown any intention to pursue a cloud WAF service strategy. The vendor lacks centralized management for its WAF appliances, and its WAF virtual appliances are unavailable in the IaaS marketplace.
Market Segmentation: Ergon is not the best fit for smaller organizations. It offers only two hardware appliances (Medium and Large). Most customers mention that the deployment is not the easiest possible, and the management interface can be complex, especially for novice users.
Geographic Strategy: Ergon is predominantly visible in Swiss and German shortlists, with the exception of some rare appearances in Asian financial institution shortlists. The vendor has limited direct presence outside Western Europe. Prospects from other regions should first assess the ability of the vendor to provide support in their time zones and, if necessary, in local languages.
Capabilities: Airlock offers limited, role-based management with four predefined roles, and experimental command line interface (CLI)-based possibility to add custom roles. Its management API feature is not yet complete.
Capabilities: Airlock still lacks third-party or in-house threat intelligence feeds. Its generic rule set is updated only during firmware updates. This limits the ability of customers to benefit from ad hoc, emergency-released protections in case of a new attack campaign. The vendor also relies on integration with IBM Trusteer to provide bot mitigation.
Market Responsiveness: Ergon Informatik’s roadmap delivery contains a higher mix of continuous improvements of existing features.

F5

F5 has moved from the Leaders quadrant to the Challengers quadrant. It continues to participate frequently in client shortlists for WAF appliances beyond its ADC customer base. The company is in the middle of reinventing itself for a cloud-first world, but has yet to reproduce the success it built in past years as a strong WAF appliance provider in the cloud WAF segment.

Based in Seattle, Washington, F5 is known for its ADC product lines (Big-IP and Viprion). The vendor employs more than 4,300 employees, which includes a small business unit dedicated to security products.

F5’s WAF is primarily consumed as a software option, Application Security Manager (ASM), which is integrated in the F5 Big-IP platform. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). F5’s security portfolio includes a WAM solution, Access Policy Manager (APM), web fraud protection (WebSafe), and a DDoS mitigation solution, DDoS Hybrid Defender (DHD).

Under the Silverline brand, F5 delivers cloud WAF and DDoS protection. Two flavors of the service are available: Silverline Managed WAF and self-service WAF Express, with a threat intelligence add-on (Silverline Threat Intelligence). All Silverline services rely under-the-hood on Big-IP technology.

In recent news, F5 launched a dedicated solution to handle TLS traffic decryption for inbound and outbound traffic (the F5 SSL Orchestrator). The vendor has launched a WAF product called “Advanced WAF.” It includes, in addition to what is also available in ASM, a mobile SDK, specialized features for fraud prevention through form fields obfuscation, bot mitigation, application-layer DoS and API security features.

F5 is a good shortlist contender for large-scale WAF appliances, and for scenarios requiring unified management.

Strengths

Marketing Strategy: As its legacy ADC appliance market declines, F5 has identified security as one of the core markets for its new messaging. The vendor has publicly committed to reinforce its investment in security.
Technical Architecture: F5 supports AWS, Azure, Google Cloud, OpenStack and VMware Cloud. The support for multicloud with unified management appeals to the organizations building a hybrid architecture.
Capabilities: Clients continue to mention iRules as a reason to select, and to stick with ASM WAF. They also mention the depth and breadth of features available on the platform.
Customer Experience: Customers of the managed WAF services give good scores to their interactions with the professional services, and managed SOC teams. Surveyed customers like the multiple managed rulesets from F5, which can be deployed quickly on the top of AWS WAF.
Customer Experience: Several customers mention the user community and vendor support as strong assets.

Cautions

Product Strategy: With the existingSilverline product segmentation, F5 links its self-managed Silverline Express with the lower tier of the market, but positions it at a price point that’s much higher than its direct competitors. Gartner analysts see that as a missed opportunity for F5’s product strategy and its current portfolio gap. Larger enterprises are more likely to get in-house SOCs than midsize organizations, and most enterprises prefer self-service WAF options. F5 does not yet provide a fully-featured, and easy-to-manage self-service WAF.
Sales Execution: Gartner analysts observe limited adoption of Silverline products, and low visibility in cloud WAF shortlists.
Product Strategy: With Advanced WAF, F5 risks frustrating its core customer base, which has used WAF as a module of their ADC for years. They now fail to get the best security features, even when purchasing the “best” bundle, and need to get an additional security license upgrade.
Cloud WAF Service: Silverline’s infrastructure significantly lags behind its direct competitors. It lack a presence in South America, Middle East, Africa and China. It serves the entire Asia/Pacific (APAC) region from a single data center, hosted in Singapore.
Customer Experience: Many customers mention the need of the UI refresh, because it can be complex. They noted some improvement with the recently released hierarchy of policies.
Operations: F5 continues to experience big changes in its leadership, including a new lead for security business unit. Prospective clients should monitor early signs of strategic shift that could affect the investment on the appliance product line.

Fortinet

Fortinet is in the Challengers quadrant. The vendor continues to grow its market share in the WAF appliance segment, with improved security capabilities. It is slowly catching up on the cloud WAF segment, with an initial release in 2017.

Based in Sunnyvale, California, Fortinet is a large firewall vendor that offers a broad portfolio of security and network solutions. The vendor’s almost 5,000 employees include approximately 1,000 in R&D. Fortinet’s portfolio includes a firewall (FortiGate) that constitutes most of the vendor’s revenue, a WAF (FortiWeb), a threat intelligence service (Fortinet TIS), a SIEM (FortiSIEM), and a sandbox (FortiSandbox). FortiWeb is available as a physical or virtual (FortiWeb-VM) appliance, and on AWS and Azure IaaS platforms. FortiWeb subscriptions include IP reputation, antivirus, security updates (signatures and machine learning models), credential stuffing defense and cloud sandboxing (FortiSandbox).

Recent Fortinet’s corporate strategy shift articulates the concept they named “Security Fabric.” It consists of integrating many solutions from Fortinet’s portfolio with, for example, unified visibility gained collecting telemetry from every deployed product.

In late 2017, Fortinet launched a first version of a cloud WAF service (FortiWeb Cloud). FortiWeb 6.0, released in May 2018, integrates closely with the FortiGate FortiOS 6.0. This release adds machine learning algorithms to improve anomaly detection, which deprecates the automatic application learning. FortiWeb now support Google Cloud and VirtualBox hypervisor.

FortiWeb is a good shortlist candidate for organizations looking for a WAF appliance, especially when deployed in hybrid scenarios, and for Fortinet’s existing customers.

Strengths

Sales Execution: FortiWeb’s visibility in shortlists has improved, especially in Fortinet’s customer base.
Capabilities: Fortinet delivers strong threat intelligence, supported by the large team of its Fortiguard Labs, a shared resource for all Fortinet’s products. The vendor has strong ability to quickly deliver, and automatically deploy new targeted signatures, even before the attacks have gained enough scale to be visible globally. With FortiWeb 6.0, security analysts can search for attacks usingcommon vulnerabilities and exposures (CVE) IDs.
Marketing Strategy: Fortinet applies the same strategy to FortiWeb that drove FortiGate’s success. It offers a comprehensive portfolio of hardware appliances (eight models, ranging from 25 Mbps to 20 Gbps), and it wins on good price/performance ratio. The vendor also improves its WAF by leveraging global R&D efforts, to quickly mature its WAF solution, despite being a relatively recent entrant on the market. Recent release of FortiWeb Cloud now offers a solution to Fortinet’s large customer base of midmarket enterprises.
Capabilities: FortiWeb’s recent use of machine learning algorithms to complement ad hoc signatures and detect attacks from their behavior is promising. The syntax analysis pass on the request helps catch false alerts that could result from the new technique.
Capabilities: FortiWeb is a good choice to protect file-sharing services, because it offers comprehensive options and integration for malware detection. The WAF can inspect for malware, as well as integrate with Fortinet’s sandboxing solutions.

Cautions

Cloud WAF Service: Fortinet has been late releasing a first version of a cloud WAF service, which is still unproven, especially in its ability to avoid and mitigate false alerts. FortiWeb Cloud has more limited capabilities than its appliance counterpart, and it lacks available peer references.
Organization: The vendor has a modest increase of its WAF R&D department this year. Its investment in WAF remains less important than for other products in Fortinet’s portfolio, and is relatively small, compared with some of its direct competitors.
Market Segmentation: Fortinet is not yet visible in shortlists for web-scale organizations trying to protect their core business-critical applications, and for cloud-native web applications that heavily leverage continuous integration.
Customer Experience: Some customers would like Fortinet to go one step further and unify the centralized management for WAF and firewall. Today, you need two separate management platforms for FortiWeb and FortiGate. They also would like better documentation in the form of “how-to,” especially on recent features, and better change control.
Capabilities: FortiWeb lags behind leaders in bot mitigation. The vendor does not offer, nor does it integrate with DDoS protection service.
Capabilities: FortiWeb’s machine learning does not work in high-availability deployments. In the initial version, the UI exposes a lot of the internal mechanics behind the machine learning engine. Although it compares nicely with other vendors’ “black box” approaches, and this helps with the credibility of the engine, which can be intimidating and lengthen the learning curve.

Imperva

Imperva is in the Leaders quadrant. The vendor is one of the most visible in both the appliance and cloud WAF service segments. Imperva frequently wins on the basis of security features and innovation. Imperva can provide strong WAF functionality as a traditional appliance and cloud WAF service, but faces stronger competition for its cloud offering.

Imperva is an application, database and file security vendor, with headquarters in Redwood Shores, California. Its portfolio includes database security products (SecureSphere Data Protection and Database Audit and CounterBreach), a WAF appliance (SecureSphere WAF), and a cloud WAF service (Incapsula). Imperva also offers managed security services and managed SOC.

SecureSphere can be delivered as physical and virtual appliances. It is also available on AWS and Microsoft Azure marketplaces. The vendor also offers managed rule sets for AWS WAF.

In recent months, Imperva saw changes in its executive team, including a new CEO and CFO, followed by an internal reorganization to refocus on a cloud-first strategy. The company recently announced the acquisition of Prevoty, a RASP vendor. The vendor continued its investment in Incapsula infrastructure with new points of presence, refreshed some SecureSphere hardware appliances, and released Attack Analytics, a new real-time event management solution for Imperva SecureSphere and Incapsula.

Imperva is a good shortlist candidate for all kind of organizations, especially large enterprises looking for high-security WAF appliances, or organizations planning to transition their applications from on-premises to the cloud.

Strengths

Marketing Strategy: Imperva’s offers a flexible licensing for organizations with a mix of on-premises and cloud-hosted applications. It allows the vendor to target a wider range of use cases and organizations, and to better manage the transition from WAF appliance to cloud WAF service.
Sales Execution: Imperva is one of the only vendors providing both WAF appliances and cloud WAF service to achieve strong visibility in shortlists and large customer bases for both segments.
Customer Experience: Gartner clients using SecureSphere continue to praise customer support. They’ve noted some improvements in Incapsula’s bot mitigation.
Capabilities: Incapsula and SecureSphere benefit from the shared threat intelligence from ThreatRadar.
Capabilities: Imperva has recently released attack analytics to get unified and improved monitoring for SecureSphere and Incapsula. The vendor has also made available a first version of role-based administration for Incapsula.
Geographic Strategy: Imperva has strong WAF presence in most geographies, and offers effective support across most regions. Recent presence has been especially strong in the APAC region.

Cautions

Market Responsiveness: Imperva is experiencing a lot of organizational changes, which could be the source of a slower pace of release, especially for the SecureSphere product line.
Cloud WAF Service: Customers wish that Incapsula supported single sign-on (SSO) features, such as SAML 2.0. They also would like better and more-flexible canned reports.
Capabilities: Customers considering Incapsula to replace SecureSphere often notice the lack of feature parity. The cloud WAF service cannot yet match the depth and breadth of security function covered by the appliance product line.
Pricing: SeveralGartner clients cited higher-than-competitive prices for Imperva WAF SecureSphere, and to a lesser extent for Incapsula.
Cloud WAF Service: Incapsula’s infrastructure does not include any point of presence in China, and its infrastructure lags behind other cloud-native WAF services in South America and Africa.
Customer Experience (WAF Appliance): SecureSphere customers report that the management console remains complex when using the more advanced capabilities. Customers frequently mentioned that deployment often requires professional services to effectively implement the offerings at scale. They also would like to see closer integration between Attack Analytics and the WAF management consoles, and more-unified management capabilities between SecureSphere and Incapsula.
Customer Experience (Cloud WAF Service): Some customers complain about Incapsula’s limited cross-sites and multidomain management and reporting, especially when multiple applications share the same IP address. Surveyed customers and resellers indicated that they did not get the same quality of support for Incapsula, compared with what they are accustomed to with Securesphere. They cite too many canned and not necessarily helpful answers as a first response when contacting support.

Instart

Instart has moved from the Visionaries quadrant to the Niche Players quadrant. The vendor’s security roadmap has seemed to stagnate. WAF is positioned as an add-on to the CDN and performance optimization platform, and its visibility in shortlists remains limited.

Headquartered in Palo Alto, California, Instart (until recently named Instart Logic) employs 200 employees, and came out of the stealth mode in 2010. Instart offers a bundle of cloud services, including CDN, WAF and DDoS protection. The vendor’s core marketing message for its WAF (InstartWeb App Firewall) is about being “endpoint aware,” facilitated through a lightweight JavaScript agent (Nanovisor), which is injected into HTTP traffic and analyzes aspects of client-side web browser behavior. Instart offers rule tunings and 24/7 SOC as an option. Instart’s team continually analyzes logs for its clients with a tool called Helios, which the vendor uses to update its client policies.

In recent months, Instart has completed a new round of $30 million funding. Product-related news includes the launch of a self-service rule feature, enabling clients to create their own traffic processing and WAF rules. Instart has continued to grow its infrastructure, adding more than 15 points of presence across all regions.

Instart is a valid shortlist contender for the vendor’s existing clients, and for organizations that need to quickly combine performance optimization and security features in front of their cloud-native web applications.

Strengths

Organization: Instart is part of a new wave of web app security vendors developing easy-to-deploy, cloud-native solutions. The lack of technical debt from legacy solution allows the vendor to try new approaches, such as the Nanovisor, more easily.
Viability: Instart continues to grow quickly, demonstrating its ability to attract new customers. It is well-funded to further enhance its solutions in the future.
Vertical Strategy: Instart continues to be visible in shortlists for small and large e-commerce companies. Customers from these organizations report that they selected Instart for its ability to combine security features with the performance optimization and anti-advertisement blocking features for which they were primarily looking.
Customer Experience: New customers continue to be satisfied with the ease of deployment when collaborating with the vendor. They also mention high-quality vendor support.
Capabilities: Instart has released a bot mitigation feature, priced separately from the WAF. It is too early to judge the quality of the feature. However, customers from Instart’s top verticals, e-commerce and online media, are heavily targeted by bots, and welcomed the new feature.
Capabilities: Instart management provides a fully featured API, which facilitates its integration in dynamic application ecosystems. When adding a new feature, such as the custom rule creation, a related API is also available.

Cautions

Product Strategy: Instart positions its WAF as an add-on, and sells it mostly to its existing customer base for its other products, who don’t conduct in-depth evaluation of the security modules. The vendor has yet to demonstrate that it is interested in more than selling security as a commodity to its IT customer base.
Organization: Instart is a growing company, but has experienced organizational hiccups recently, with a change of CEO and internal reorganizations intended to overcome slower-than-investor-expected growth and market awareness. As the vendor prepares for its IPO, it might be distracted from innovating in the security space. Its WAF development team is one of the smallest among the vendors evaluated in this research.
Capabilities: Instart does not offer API security features. It does not parse JSON or XML payloads, does not offer authentication features, or integrate with identity providers to enable SSO, using SAML protocol.
Geographic Strategy: The vendor still has a low visibility in shortlists, especially outside the U.S. Prospective customers should first verify the availability of local skills, assess their need for support in their native language and ask for local peer references. The vendor has not yet deployed points of presence in China.
Capabilities: Instart does not provide a fully featured, self-service option. Although customers can now create their own rules, they still need the vendor for on boarding. The role-based access control (RBAC) feature is reputed to be quite limited. Configuration tuning quickly requires a request to Instart’s team. Many clients point out the poor documentation and scarcity of available technical resources.
Customer Experience: Customers would like to see more improvements in the reports, as well as more customizable dashboards. Because the WAF lacks integration with ticketing systems, AST and most SIEM technologies, organizations faces difficulty integrating it into their enterprise incident workflows.

Microsoft

Microsoft is in the Niche Players quadrant. The vendor has released a first version of WAF, which offers baseline protection to web applications, and is visible mostly in its customer test initiatives. The vendor needs to demonstrate a continued commitment to improving the solution and building a more-feature-rich WAF.

Based in Redmond, Washington, Microsoft is a one of the most well-known IT brands, with a diversified and broad portfolio. Microsoft Azure, its IaaS solution includes virtual machines (VMs), storage and database services. Its WAF (Azure WAF) is built on the top of its application delivery solution (Azure Application Gateway) integrates with other Azure products, such as Azure Traffic Manager (ATM) and Azure Load Balancer (ALB). Azure WAF is priced per gateway and per hour, as part of the Application Gateway consumption-based model.

Azure Portal and Security Center are the management solutions for Azure Application Gateway and for Azure WAF.

In 2017, Microsoft made its WAF available globally.

Microsoft Azure WAF is a good choice for organizations looking for an ad hoc WAF available immediately while deploying workloads on Microsoft Azure.

Strengths

Sales Strategy: Azure WAF is bundled with the Application Gateway, making it easy for clients to enable it, while deploying the underlying application delivery infrastructure, and providing protection to their applications right away.
Capabilities: Azure WAF includes a fully featured REST API for managing the WAF configuration.
Capabilities: The vendor can parse JSON and XML payloads, and apply security rules to this content.
Geographic Strategy: Now that Azure WAF is available globally, it benefits from Microsoft’s global infrastructure of data centers, with multiple points of presence in all regions, except Africa and the Middle East.

Cautions

Organization: Microsoft is still building its WAF team, which is relatively small, when compared with the challengers and leaders in this research. Prospective buyers should get references to validate expected capabilities.
Product Strategy: At this point in time, Azure WAF consists mainly of a repackaged ModSecurity engine, using ModSecurity core rulesets (CRSs). Although many WAF offerings have started with similar approach, the vendor must continue to demonstrate its commitment to developing the WAF beyond basic.
Capabilities: As with any recent introduced product, customers should expect that Azure WAF lacks some of its competitor features. It lacks integrated CDN, bot management and user credential abuse detection. It cannot block based on geolocation or inspect malware.
Customer Experience: Rule propagation can take several minutes. WAF onboarding, based on deploying an Application Gateway virtual appliance, is more complicated than its cloud-native WAF’s competitors.
Customers Experience: Because of the limited number of deployments to protect applications in production, the feedback on Azure WAF is scarce. Early adopters mention initial scalability issues, because Microsoft’s WAF is built on VMs in the back end, and the lack the ease of autoscaling that other cloud-native WAFs offer.
Technical Architecture: Azure WAF is built on the top of Azure Application Gateway. It lacks autoscaling features, requiring the use of an Azure load balancer (Traffic Manager) to dynamically route the traffic between Azure WAF’s instances in multiple data centers.

Oracle

Oracle is in the Visionaries quadrant. Although the product is relatively recent, and feedback is scarce, Zenedge, its recently acquired WAF solution, uses machine learning to risk score events as a differentiator in this market.

Oracle is a large provider of applications, databases and cloud services, with headquarters in Redwood, California. Originally known for its database products, Oracle now offers a broad portfolio of solutions, including IaaS (Oracle Cloud Infrastructure [OCI]). Oracle offers multiple products in security, notably comprising Identity and Access Management (IAM), Cloud Access Security Brokers (CASBs), Security Information and Event Management (SIEM), compliance, data security, and managed security services. Oracle acquired Dyn, a managed domain name service (DNS) service provider, in 2016. Oracle then acquired Zenedge, a cloud-native WAF provider, in February 2018. Zenedge is now a relatively small team, part of OCI, and the WAF product has been rebranded as Oracle WAF. Oracle continues to offer Oracle WAF as a managed service.

Zenedge was under evaluation for this market research before the acquisition. Recent product news includes the release of a bot mitigation solution, combining JavaScript challenges, Captcha and rate limiting, and improved management API.

Oracle WAF is a good shortlist candidate for organizations looking at a managed cloud WAF service, especially those looking for new ways to detect anomalies.

Strengths

Market Responsiveness: Surveyed customers liked the vendor’s responsiveness to feature requests, and the regular product improvements.
Market Execution: Through OEM agreement, the vendor has quickly acquired a sizable customer base.
Customer Experience: Although the solution is still recent, early feedback on the new bot manager features are promising. The vendor’s team in charge of managing the WAF also get good scores from surveyed customers and resellers.
Capabilities: Oracle WAF leverage statistical analysis to create a risk score for suspicious queries, and trigger alert, or blocking actions, based on this score. Feedback from customers indicates that this feature enables them to better tune the WAF configuration, and to focus on important events.
Capabilities: As Zenedge is now part of Oracle, it can get visibility on a big chunk of traffic, which could be useful to further improve the learning algorithms and, therefore, the quality of Oracle WAF’s detection.
Support: Contacted customers confirmed to Gartner analysts that the acquisition had no impact on the quality of their interactions with Zenedge team.

Cautions

Product Strategy: Zenedge, a relatively small startup, has been acquired by Oracle, which is a cloud provider and a large enterprise. In other network and application security acquisitions, Gartner analysts have observed that a cultural chasm, and potential conflicts in roadmap priorities could slow down feature delivery. Prospects, especially those protecting applications not hosted on Oracle cloud, should request commitment on the vendor’s roadmap delivery, in case required capabilities are missing at the time of purchase.
Technical Architecture: Oracle WAF infrastructure lacks points of presence in China, the Middle East and Africa. It has a limited number of points of presence in South America and Asia. Oracle infrastructure is global, so the vendor might quickly increase the number of available points of presence for Oracle WAF.
Capabilities: Although many features are available with a self-service portal, Oracle recommends to its customers to connect with Oracle Dyn managed services team to onboard new applications. Oracle WAF does not yet integrate with SIEM vendors. Logs can be exported in a comma-delimited flat file (.csv) format, or pulled through an API, but are not available in CEF or over syslog.
Customer Experience: Customers would like to see improvements in Oracle WAF’s reporting. The event view, which is different from the active-learning view, where the risk score appears, does not aggregate individual alerts into attack or attack campaign, resulting in a large number of alerts.
Product: Some early clients highlighted that Zenedge WAF, prior to the acquisition, was still a work in progress, lacking some expected features. Oracle Dyn has a smaller team for WAF-related threat research, compared with many of its leading competitors.

Radware

Radware is in the Visionaries quadrant. This vendor has robust technical capabilities delivering consistently most of its technology through on-premises, as well as cloud-based, and good understanding of the DevOps environment. However, the vendor lags behind the leaders in being visible in WAF shortlists.

Based in Tel Aviv, Israel, and Mahwah, New Jersey, Radware is a DDoS protection and application delivery and security provider, employing nearly 1,000 people. Alteon, its ADC platform, continues to contribute significantly to its revenue. However, Radware’s security portfolio drives the vendor’s growth, with a DDoS mitigation appliance (DefensePro) and a cloud DDoS mitigation service (Cloud DDoS Protection). Radware also offers a specialized security solution for carriers and service providers (DefenseFlow). Its WAF, AppWall, may be deployed as a physical or virtual appliance, as a module on top of Radware’s ADC appliance (Alteon) or, using the same technology as part of Radware’s Cloud WAF Service. The Radware Cloud Security Services is a fully managed service that delivers security protection through three categories of protection: cloud DDoS protection service, application protection (cloud WAF service and cloud web acceleration service), and cloud CDN.

Recent announcements on Radware products include the release of AppWall to support Microsoft Azure. Radware has also introduced security policy templates (customizable) to accelerate the WAF deployment and improve its bot mitigation feature.

Radware is a good shortlist candidate for most organizations, especially those that want strong positive security and want to deploy the same security levels across hybrid environments. Organizations with high-security use cases, or applications that are unlikely to be compatible with a whitelisting approach should engage in security testing, as part of the evaluation of the technology.

Strengths

Capabilities: Radware’s Emergency Response Team (ERT) leverages in-house threat research and provides 24/7 managed SOC, in addition to ad hoc support, when Radware’s customers are under attack.
Product Strategy: At the heart of the AppWall WAF technology is Radware’s automatic policy learning. Radware’s engine tracks changes and updates to the application and updates the policy, also leveraging integration with AST solutions to implement virtual patches in case of new vulnerabilities. This also works for APIs.
Customer Experience: Radware customers praise the combination of high-efficacy DDoS protection and WAF. Users of the AppWall appliances are satisfied with the level of effort required to tune the positive security model.
Market Execution: Many customers of Radware’s WAF were initially DDoS protection customers, or purchase the WAF and DDoS protection offers all together. Radware’s good reputation in the DDoS protection space reflects positively on its WAF prospects.
Cloud WAF Service: Radware customers, relying on the vendor to manage the WAF, express satisfaction with the vendor’s professional service and incident response (ERT) teams.
Vertical Strategy: Radware has good visibility in media and retail organizations, two vertical segments combining large-scale web applications, budget constraints and relatively small security teams.
Marketing Strategy: The vendor regularly publishes threat reports as a tool to raise awareness about issues. However, this also incidentally demonstrates the efficacy of its approach.

Cautions

Customer Experience: Although comments on support are generally positive, customers in the APAC regions are less satisfied with the timeliness of the response from Radware’s support for issues that require more than a canned answer.
Cloud WAF Service: Managed WAF is not the preferred option for many customers; however, it is the main option for Radware cloud WAF service. Radware cloud WAF service clients express interest in further improvements of the self-service management capabilities.
Customer Experience: Radware’s customers cite a need to improve the AppWall UI. It scores low on surveys, and the most frequently cited issue is its lack of intuitiveness, when searching for a configuration option. Customers also comment on the lack of out-of-box reports related to compliance. These reports are available on APSolute Vision reporter, Radware’s dedicated reporting solution.
Capabilities: Some prospects encountered challenges successfully implementing Radware’s positive security approach.
Market Execution: Radware is not as visible in U.S. shortlists as many of its competitors. Organizations evaluating AppWall should focus on their evaluation of the vendor’s capabilities, relative to their requirements, rather than on the overly aggressive communications from the vendor and its channel partners, who frequently exaggerate capabilities relative to leading competitors.
Customer Experience: Radware customers continue to be dissatisfied with the training and documentation on AppWall, mentioning that it lengthens the learning curve when trying to deploy the technology, implement new features or understand whether there’s a configuration issue.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity is in the Niche Players quadrant. Its WAF appliance product line bundles several advanced security features, resulting in most deployments being in blocking mode. The vendor struggle with market reach beyond its home country, and its cloud WAF offering has made little progress.

Headquarted in Munich, Germany, Rohde & Schwarz is a large electronics group. The vendor has acquired several vendors to build Rohde & Schwarz Cybersecurity, which has almost 500 employees. Its WAF business unit, DenyAll, was acquired in 2017, and employs nearly 90 people. In addition to the R&S Web Application Firewall, Rohde & Schwarz Security’s products include R&S Unified Firewalls (acquired from German company gateprotect), a network firewall targeting midsize enterprises and endpoint security solutions.

A key concept in the DenyAll WAF is the use of graphical workflow to configure traffic processing and inspection. Workflow view is a diagram, where administrators can drag-and-drop controls, response modifications and other actions. The DenyAll WAF is available on AWS and Microsoft Azure. R&S Cloud Protector is the cloud WAF service solution.

In addition to the rebranding, recent news include a refresh of the WAF appliance product line, active-active high availability and improved processing of JSON payloads.

Rohde & Schwarz Cybersecurity is a good shortlist contender for organizations looking for a WAF appliance, combining ease of use and in-depth security features, especially those located in Europe.

Strengths

Customer Experience: Rohde & Schwarz customers like the graphical workflow, backed up by a more traditional view. Former DenyAll rWeb users noted that the addition of a web security engine in the new WAF product improved their results.
Product Strategy: Following the acquisition, the DenyAll team maintained an open security culture, participating in events where they let penetration testers try to hack or pass through the WAF. R&S WAF is also one of the only products evaluated in this research with an official bug bounty program.
Capabilities: DenyAll WAF includes multiple analysis engines and leverages user session risk scoring to ensure accurate detection and low false-positive rates.
Capabilities: Building on previous enhancements to its reporting solution, Rohde & Schwarz has improved its investigative capabilities by enabling attack replay and dedicated investigation dashboards.
Capabilities: R&S Cloud Protector offers predefined configurations only using the management console, like most cloud WAF services built on the foundation of a WAF appliance. However, customers can fully manage the WAF, using the API.
Customer Experience: Customers continue to give positive feedback about presale and postsale local support.

Cautions

Market Responsiveness: The number of new features released on R&S WAF and R&S Cloud Protector has been severely limited for a few years now. Smaller vendors evaluated for this research have achieved significantly more during the same period, especially when it comes to the development of a cloud WAF service.
Marketing and Sales Execution: Even though the acquisition gave DenyAll access to Rohde & Schwarz’s sales force, the vendor is losing market share.
Capabilities: The acquisition by Rohde & Schwarz did not lead to significant investment in the DenyAll small threat research team. DenyAll WAF does not automatically deploy ad hoc signatures, following an attack, relying on the generic engine, and leaving customers to guess from the detailed log information whether the alert triggered is related to recent attack campaigns.
Capabilities: Rohde & Schwarz does not offer unified centralized management for its WAF appliance and R&S Cloud Protector. The vendor offers limited bot mitigation, compared with many of the vendors evaluated in this research.
Geographic Strategy: R&S WAF is not visible in shortlist outside its original home market, France, and Germany. Prospective customers outside of these countries should verify the availability of peer references.
Customer Experience: Many customers have complaints about the Java-based UI, and would like to see faster transition to the web-based management promised for years. They also note that bot mitigation could be better.

Vendors Added and Dropped

We’ve updated the inclusion criteria to reflect enterprise’s more demanding requirements. Part of the change is a new requirement for vendors to have a customer base outside of their home region.

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

Microsoft (Azure)
Oracle (acquired Zenedge)

Dropped

NSFOCUS, Penta Security, Positive Technologies and Venustech were dropped, due to updated and more-demanding inclusion criteria.

Inclusion and Exclusion Criteria

WAF vendors that meet Gartner’s market definition/description are considered for this Magic Quadrant under the following conditions:

Their offerings can protect applications running on different types of web servers.
Their WAF technology is known to be approved by qualified security assessors as a solution for PCI DSS Requirement 6.6, which covers Open Web Application Security Project (OWASP) Top 10 threats, in addition to others.
They provide physical, virtual or software appliances, or cloud WAF service.
Their WAFs were generally available as of 1 January 2017.
Their WAFs demonstrate global presence, and features/scale relevant to enterprise-class organizations:
- $12 million in WAF revenue during 2017; able to demonstrate that at least 200 enterprise customers use its WAF products under support as of 31 December 2017.
- And, the vendor must have sold at least 40 net-new customers in 2017.
- Or, $7 million in WAF revenue during 2017, and two years of compound annual revenue growth of at least 30%growth.
The vendor must provide at least three WAF customer references for WAF appliances, or three customer references for cloud WAF service, or both, if the vendor offers both solutions.
The vendor must demonstrate minimum signs of global presence:
- Gartner received strong evidence than more than 5% of its customer base is outside its home region. Vendors appearing in Gartner client inquiries, competitive visibility, client references and the vendor’s local brand visibility are considered.
- The vendor can provide at least two references outside its home region.
The provider offers 24/7 support, including phone support (in some cases, this is an add-on, rather than being included in the base service).
Gartner has determined that they are significant players in the market, due to market presence, competitive visibility or technology innovation.
Gartner analysts assess that the vendor’s WAF technology provides more than a repackaged ModSecurity engine and signatures.
The vendor must provide evidence to support meeting the above inclusion requirements.

WAF companies that were not included in this research may have been excluded for one or more of the following reasons:

The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
The vendor is primarily a managed security service provider (MSSP), and WAF sales mostly come as part of broader MSSP contract.
The vendor is not actively providing WAF products to enterprise customers, or has minimal continued investments in the enterprise WAF market.
The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers (ISPs) that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
The vendor has a host-based WAF, WAM, RASP or API gateway (these are considered distinct markets).

In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including A10 Networks, Alibaba, Alert Logic, Array Networks, Avi Networks, Beijing Chaitin Technology, Brocade, DBAppSecurity, DB Networks, ditno., Indusface, Kemp Technologies, Limelight, ModSecurity, NGINX, NSFOCUS Penta Security, PIOLONK, Positive Technologies, Qualys, Sangfor, SiteLock, Sucuri, Threat X, Trustwave, Venustech, Verizon and Wallarm.

The adjacent markets focusing on web application security continue to be innovative. This includes the RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, such as bot mitigation (Distil Networks, PerimeterX, Shape Security and Stealth Security), or take an alternative approach to web application security (e.g., Signal Sciences and tCell).

Evaluation Criteria

Ability to Execute

Product or Service: This includes the core WAF technology offered by the technology provider that competes in and serves the defined market. This also includes current product or service capabilities, quality, feature sets, and skills, whether offered natively or through OEM agreements/partnerships, as defined in the Market Definition/Description section. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continually deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company’s Ability to Execute. Some key features, such as the ability to support complex deployments (including on-premises and cloud options) with real-time transaction demands, are weighted heavily. Product evaluation also considers adjacent security functions. These include DDoS protection services, bot management (e.g., bad-bot mitigation and good-bot whitelisting), fraud detection, API security and threat intelligence feeds, which might be bundled or integrated with WAFs. Integration with other markets, such as CASBs and AST, is evaluated as well, but more lightly.
Overall Viability: This includes an assessment of the organization’s overall financial health, and the financial and practical success of the business unit. It also involves the likelihood that individual business units will continue to invest in WAF, offer WAF products and advance the state of the art in the organization’s portfolio of products.
Sales Execution/Pricing: This is the technology provider’s capabilities in all presales activities and the structure that supports them. It includes deal management, pricing and negotiation; presales support; and the overall effectiveness of the sales channel. It also includes deal size, as well as the use of the product or service in large enterprises with critical public web applications, such as banking applications or e-commerce. Low pricing will not guarantee high execution or client interest. Buyers want good results more than they want bargains. Buyers balance WAF security requirements and pricing, and don’t consider best pricing only.
Market Responsiveness/Record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and security trends and customer needs evolve. A vendor’s responsiveness to new or updated web application frameworks and standards, as well as its ability to adapt to market dynamics, changes (such as the relative importance of PCI compliance). This criterion also considers the provider’s history of releases, but gives higher weight to its responsiveness during the most recent product life cycle.
Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message. It is aimed at influencing the market, promoting the brand and business, increasing product awareness, and establishing positive identification with the product/brand and organization among buyers. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities.
Customer Experience: This assesses the relationships, products and services/programs that enable clients to be successful with the products that are evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements (SLAs) and so on.
Operations: This is the organization’s ability to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Product or Service	High
Overall Viability	Medium
Sales Execution/Pricing	Medium
Market Responsiveness/Record	High
Marketing Execution	Medium
Customer Experience	High
Operations	Medium

Source: Gartner (August 2018)

Completeness of Vision

Market Understanding: This is the technology provider’s ability to understand buyers’ wants and needs, and translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance them with their added vision. They also determine when emerging use cases will greatly influence how the technology has to work. Vendors showing a better understanding of how the changes in web applications that affect security will receive higher scores. Trends include cloud, IaaS, agile methodologies, web services and microservices, continuous integration, and the growing importance of APIs.
Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: This strategy for selling products uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates to extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. The ability to attract new customers in need of web application security only has a strong influence on this criterion.
Offering (Product) Strategy: This is the technology provider’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets, as they map to current and future requirements. As attacks change and become more targeted and complex, we highly weight vendors that move their WAFs beyond rule-based web protections that are limited to known attacks. For example:
- Enabling a positive security model with automatic and efficient policy learning
- Leveraging machine learning to improve the quality of the detection engines
- Using a weighted scoring mechanism based on a combination of techniques
- Providing updated security engines to handle new protocols and standards (such as JSON, HTML5, HTTP/2, IPv6 and WebSockets), and remaining efficient against changes in how older web technologies (e.g., Java, JavaScript and Adobe Flash) are used
- Providing dedicated protection techniques on emerging web application use cases, such as mobile and IoT applications
- Bot mitigation not limited to reputation-based controls
- API security
- User behavioral analysis
- Countering evasion techniques actively

This criterion includes the evaluation of the depth of features, especially features that ease the management of the solution, and integration with other solutions, including DDoS protection services and emerging technologies, such as CASB.

Business Model: This is the soundness and logic of a technology provider’s underlying business proposition.
Vertical/Industry Strategy: This is the technology provider’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Vendors focusing on a single vertical get lower scores; vendors with differentiated vertical strategies and the ability to reproduce success across several verticals receive higher scores.
Innovation: This refers to the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. It includes product innovation and quality differentiators, such as:
- New methods for detecting web attacks and avoiding false positives
- A management interface, monitoring and reporting that contribute to easy web application setup and maintenance, better visibility, and faster incident response
- Automated delivery of detection and protection
- Ability to integrate with DevOps process and tooling
- Integration with companion security technologies, which improves overall security
Geographic Strategy: This is the technology provider’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography. This can be directly or through partners, channels and subsidiaries, as appropriate for the geographies and markets.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Market Understanding	High
Marketing Strategy	Medium
Sales Strategy	Low
Offering (Product) Strategy	High
Business Model	Medium
Vertical/Industry Strategy	Low
Innovation	High
Geographic Strategy	Medium

Source: Gartner (August 2018)

Quadrant Descriptions

Leaders

The Leaders quadrant contains vendors that can shape the market by introducing additional capabilities in their offerings, raising awareness of the importance of those features and being the first to do so. They also meet the enterprise requirements for the different use cases of web application security.

We expect leaders to have strong market share and steady growth, but these alone are not sufficient. Key capabilities for leaders in the WAF market are ensuring higher security and smooth integration in the web application environment. They also include advanced web application behavior learning; a superior ability to block common threats (such as SQLi, XSS and CSRF), protect custom web applications and avoid evasion techniques; and strong deployment, management, real-time monitoring and extensive reporting. They should also provide and regularly improve DDoS and bot mitigation capabilities. In addition to providing technology that is a good match with customer requirements, leaders show evidence of superior vision and execution for anticipated requirements and evolution in web applications that will require paradigm changes.

Challengers

Challengers in this market are vendors that have achieved a sound customer base, but they are not leading on security features. Many challengers leverage existing clients from other markets to sell their WAF technology, rather than competing with products to win deals. A challenger may also be well-positioned and have good market share in a specific segment of the WAF market, but does not address (and may not be interested in addressing) the entire market.

Visionaries

The Visionaries quadrant is composed of vendors that have provided key innovative elements to answer web application security concerns. They devote more resources on security features that help protecting critical business applications against targeted attacks. However, they lack the capability to influence a large portion of the market. They haven’t expanded their sales and support capabilities on a global basis, or they lack the funding to execute with the same capabilities as vendors in the Leaders and Challengers quadrants. Visionaries also have a smaller presence in the WAF market, as measured by installed base, revenue size or growth, or by smaller overall company size or long-term viability.

Niche Players

The Niche Players quadrant is composed primarily of smaller vendors that provide WAF technology that is a good match for specific WAF use cases (such as PCI compliance), or vendors that have a limited geographic reach. The WAF market includes several European and Asian vendors that serve clients in their regions well with local support, and are able to quickly adapt their roadmaps to specific needs. However, they do not sell outside their home countries or regions. Many niche players, even when making large-scale products, offer features that would suit only SMB and smaller enterprises’ needs.

Niche players may also have a small installed base, or may be limited, according to Gartner’s criteria, by a number of factors. These factors may include limited investments or capabilities, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in the Niche Players quadrant does not reflect negatively on a vendor’s value in the more narrowly focused service spectrum.

Context

Gartner generally recommends that client organizations consider products from vendors in every quadrant of this Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the WAF market, which includes a large number of relatively small vendors, or larger vendors, but with a small share of their revenue coming from their WAF offerings. Product selection decisions should be driven by organization-specific requirements. These involve such areas as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposures of business-critical and custom web applications, and the vendor’s local support and market understanding.

Security managers who are considering WAF deployments should first define their deployment constraints, especially:

Their tolerance for a full, in-line reverse proxy with blocking capabilities in front of the web applications
The benefits and constraints of the different WAF delivery options:
- Dedicated appliances
- CDNs
- ADCs
- Cloud services
SSL decryption/re-encryption and other scalability requirements

(For more information on WAF technology selection and deployment challenges, see “Web Application Firewalls Are Worth the Investment for Enterprises.”)

Market Overview

Gartner forecasts that the WAF market will total $853 million in 2018, which is an increase of 11.9% from 2017’s total of $762 million (see “Forecast: Information Security, Worldwide, 2016-2022, 2Q18 Update”). The Americas account for 47.6% of the total market, with EMEA following at 31.2%. The APAC region represented 21.2% of the total market, and, at 13.5%, showed year over year. Gartner forecasts report end-user spending. Previous market estimates published in this Magic Quadrant were based on vendor revenue estimates.

Web application security is a growing concern, as more businesses support new digital business initiatives with public-facing applications, including API-driven mobile or IoT applications. As a result, web application was the No. 1 attack pattern leading to a data breach in 2017, according to Verizon.¹

Gartner has observed a growing number of small vendors with local regional reach, and more CDN and ADC vendors adding WAF as a feature. To reflect the more stringent requirements of organizations looking for a global WAF provider, this Magic Quadrant includes revised inclusion criteria. It has a notable criterion for WAF vendors to have more than 5% of their customer bases outside their home regions.

This change led to the exclusion of reputable vendors, with a regional reach. Because the APAC region includes some relatively large WAF vendors, a contextual Magic Quadrant is planned in 2018.

When speaking with clients about WAF adoption, Gartner has observed occasional confusion regarding the application control feature (application awareness) present on network firewalls. The primary WAF benefit and differentiator is protection for custom web applications’ vulnerabilities in web application code developed by the enterprise, not just vulnerabilities in off-the-shelf web application software. These “self-inflicted” vulnerabilities would otherwise go unprotected by other technologies that mainly guard against known exploits (see “Web Application Firewalls Are Worth the Investment for Enterprises”). Most attacks on these corporate applications come from external attackers.

Gartner observes diverging expectations between customers considering cloud WAF services and WAF appliances:

Organizations looking for cloud WAF services generally expect multiple, bundled features — notably DDoS protection, bot management and CDN — in an easy-to-deploy and easy-to-operate package. They increasingly request more depth for security controls, and better granularity for configuration options, but are often under time pressures to deploy the WAF.
Organizations looking for WAF appliances (physical and virtual), are more likely to have a WAF appliance already in place. They put higher expectations on positive security model, advanced security features and integration of the WAF in the incident response workflow.

Gartner continues to see organizations deciding on the deployment options as a second step, comparing the respective benefits and challenges of cloud WAF and WAF appliances. This research includes providers for both categories of solutions, as they continue to compete against each other.

WAF Market Trends

Gartner has observed three significant trends in the WAF market:

Gartner estimates that the number of deployments for physical appliance sales and WAF modules on ADC appliances is declining, with most vendors experimenting a decline in volume, and many vendors seeing a slow, single-digit growth driven by increased subscription revenue.
Cloud WAF service continues to grow steadily. Gartner estimates that it now represents more than 35% of the WAF market revenue in 2017 and most Gartner client inquiries about WAF. Cloud-native solutions increasingly compete with the more-mature vendors. IaaS providers’ visibility is nascent.
More organizations want to “follow the app,” using a cloud WAF. However, Gartner analysts have seen an increase, from a small base of inquiries with organizations leaning toward the conservative approach to use the same WAF appliance on-premises and on IaaS. Also, multicloud strategies have started to be visible in strategic roadmaps, creating an incentive to have more unified management and reporting.

Cloud WAF service is more frequently in shortlists for public-facing applications. The complexity of large-scale deployment remains a competitive disadvantage for WAF appliances against cloud services. Web application strategies include a “hybrid approach” that protects on-premises and cloud-hosted assets with the same WAF technology as the best use cases for WAF appliances.

WAF sees competition from adjacent technology options, and also competes more frequently with alternative approaches to exploit detection and/or protection from vendors. This includes solutions that incorporate elements of traditional WAF and RASP application instrumentation, operating with an analytical back end that detects attack patterns across a customer base, providing updates to individual sensors (e.g., Signal Sciences, or tCell). Imperva has recently announced acquisition of Prevoty, which could be an indication of a future integration plan.

Bot Management Is on the Rise, API Security Is Next

During the past few months, the ability to segregate automated traffic from human clients has become a more important requirement. Bot mitigation and good bot handling have become scrutinized features, and WAF vendors adapting their offerings. Larger enterprises evaluate WAF against specialized vendors, such as Distil Networks, PerimeterX, Shape Security and Stealth Security, for bot mitigation. Traditional reputation-based and fingerprinting controls are now more sufficient to block the low and slow advanced bots, and more enterprises add requirements for behavioral analytics in their RFPs. Gartner expects bot management (which includes bot mitigation and good bot handling) to become a core feature in WAF evaluations in the near future.

API security takes a similar trajectory, but market awareness is not yet high enough. Many organizations consider an API management gateway as the ad hoc solution, before evaluating their WAF for this use case. In “How to Build an Effective API Security Strategy,” Gartner estimates that, by 2022, “API abuses will be the most-frequent attack vector, resulting in data breaches for enterprise web applications.” Some WAF vendors have some basic API security features, and Gartner expects the situation to improve, along with the emergence of specialized API security vendors.

Evidence

¹ Verizon 2017 Data Breach Investigations Report :

Pattern Breakdown: Web Applications accounts for 21% of all attack patterns leading to breaches (No. 1) in 2017.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

======================== End

你可能感兴趣的:(Gartner 2018 年WAF魔力象限报告：云WAF持续增长，Bot管理与API安全拥有未来)

斤斤计较的婚姻到底有多难？白心之岂必有为
很多人私聊我会问到在哪个人群当中斤斤计较的人最多？我都会回答他，一般婚姻出现问题的斤斤计较的人士会非常多，以我多年经验，在婚姻落的一塌糊涂的人当中，斤斤计较的人数占比在20～30%以上，也就是说10个婚姻出现问题的斤斤计较的人有2-3个有多不减。在婚姻出问题当中，有大量的心理不平衡的、尖酸刻薄的怨妇。在婚姻中仅斤斤计较有两种类型：第一种是物质上的，另一种是精神上的。在物质与精神上抠门已经严重的影响
QQ群采集助手，精准引流必备神器 2401_87347160 其他经验分享
功能概述微信群查找与筛选工具是一款专为微信用户设计的辅助工具，它通过关键词搜索功能，帮助用户快速找到相关的微信群，并提供筛选是否需要验证的群组的功能。主要功能关键词搜索：用户可以输入关键词，工具将自动查找包含该关键词的微信群。筛选功能：工具提供筛选机制，用户可以选择是否只显示需要验证或不需要验证的群组。精准引流：通过上述功能，用户可以更精准地找到目标群组，进行有效的引流操作。3.设备需求该工具可以
关于沟通这件事，项目经理不需要每次都面对面进行流程大师兄
很多项目经理都会遇到这样的问题，项目中由于事情太多，根本没有足够的时间去召开会议，那在这种情况下如何去有效地管理项目中的利益相关者？当然，不建议电子邮件也不需要开会的话，建议可以采取下面几种方式来形成有效的沟通，这几种方式可以帮助你努力的通过各种办法来保持和各方面的联系。项目经理首先要问自己几个问题，项目中哪些利益相关者是必须要进行沟通的？可以列出项目中所有的利益相关者清单，同时也整理出项目中哪些
机器学习与深度学习间关系与区别 ℒℴѵℯ心·动ꦿ໊ོ꫞ 人工智能学习深度学习 python
一、机器学习概述定义机器学习（MachineLearning,ML）是一种通过数据驱动的方法，利用统计学和计算算法来训练模型，使计算机能够从数据中学习并自动进行预测或决策。机器学习通过分析大量数据样本，识别其中的模式和规律，从而对新的数据进行判断。其核心在于通过训练过程，让模型不断优化和提升其预测准确性。主要类型1.监督学习（SupervisedLearning）监督学习是指在训练数据集中包含输入
铭刻于星（四十二）随风至
69夜晚，绍敏同学做完功课后，看了眼房外，没听到动静才敢从书包的夹层里拿出那个心形纸团。折痕压得很深，都有些旧了，想来是已经写好很久了。绍敏同学慢慢地、轻轻地捏开折叠处，待到全部拆开后，又反复抚平纸张，然后仔细地一字字默看。只是开头的三个字是第一次看到，让她心漏跳了几拍。“亲爱的绍敏：从四年级的时候，我就喜欢你了，但是我一直不敢说，怕影响你学习。六年级的时候听说有人跟你表白，你接受了，我很难过，但
底层逆袭到底有多难，不甘平凡的你准备好了吗？让吴起给你说说造命者说
底层逆袭到底有多难，不甘平凡的你准备好了吗？让吴起给你说说我叫吴起，生于公元前440年的战国初期，正是群雄并起、天下纷争不断的时候。后人说我是军事家、政治家、改革家，是兵家代表人物。评价我一生历仕鲁、魏、楚三国，通晓兵家、法家、儒家三家思想，在内政军事上都有极高的成就。周安王二十一年（公元前381年），因变法得罪守旧贵族，被人乱箭射死。我出生在卫国一个“家累万金”的富有家庭，从年轻时候起就不甘平凡
随笔 | 仙一般的灵气海思沧海
仙岛今天，我看了你全部，似乎已经进入你的世界我不知道，这是否是梦幻，还是你仙一般的灵气吸引了我也许每一个人都要有一份属于自己的追求，这样才能够符合人生的梦想，生活才能够充满着阳光与快乐我不知道，我为什么会这样的感叹，是在感叹自己的人生，还是感叹自己一直没有孜孜不倦的追求只感觉虚度了光阴，每天活在自己的梦中，活在一个不真实的世界是在逃避自己，还是在逃避周围的一切有时候我嘲笑自己，嘲笑自己如此的虚无，
一百九十四章. 自相矛盾巨木擎天
唉！就这么一夜，林子感觉就像过了很多天似的，先是回了阳间家里，遇到了那么多不可思议的事情儿。特别是小伙伴们，第二次与自己见面时，僵硬的表情和恐怖的气氛，让自己如坐针毡，打从心眼里难受！还有东子，他现在还好吗？有没有被人欺负？护城河里的小鱼小虾们，还都在吗？水不会真的干枯了吧？那对相亲相爱漂亮的太平鸟儿，还好吧！春天了，到了做窝、下蛋、喂养小鸟宝宝的时候了，希望它们都能够平安啊！虽然没有看见家人，也
10月|愿你的青春不负梦想-读书笔记-01 Tracy的小书斋
本书的作者是俞敏洪，大家都很熟悉他了吧。俞敏洪老师是我行业的领头羊吧，也是我事业上的偶像。本日摘录他书中第一章中的金句：『一个人如果什么目标都没有，就会浑浑噩噩，感觉生命中缺少能量。能给我们能量的，是对未来的期待。第一件事，我始终为了进步而努力。与其追寻全世界的骏马，不如种植丰美的草原，到时骏马自然会来。第二件事，我始终有阶段性的目标。什么东西能给我能量？答案是对未来的期待。』读到这里的时候，我便
微服务下功能权限与数据权限的设计与实现 nbsaas-boot 微服务 java 架构
在微服务架构下，系统的功能权限和数据权限控制显得尤为重要。随着系统规模的扩大和微服务数量的增加，如何保证不同用户和服务之间的访问权限准确、细粒度地控制，成为设计安全策略的关键。本文将讨论如何在微服务体系中设计和实现功能权限与数据权限控制。1.功能权限与数据权限的定义功能权限：指用户或系统角色对特定功能的访问权限。通常是某个用户角色能否执行某个操作，比如查看订单、创建订单、修改用户资料等。数据权限：
学点心理知识，呵护孩子健康静候花开_7090
昨天听了华中师范大学教育管理学系副教授张玲老师的《哪里才是学生心理健康的最后庇护所，超越教育与技术的思考》的讲座。今天又重新学习了一遍，收获匪浅。张玲博士也注意到了当今社会上的孩子由于心理问题导致的自残、自杀及伤害他人等恶性事件。她向我们普及了一个重要的命题，她说心理健康的一些基本命题，我们与我们通常的一些教育命题是不同的，她还举了几个例子，让我们明白我们原来以为的健康并非心理学上的健康。比如如果
2021年12月19日，春蕾教育集团团建活动感受——黄晓丹黄错错加油
感受:1.从陌生到熟悉的过程。游戏环节让我们在轻松的氛围中得到了锻炼，也增长了不少知识。2.游戏过程中，我们贡献的是个人力量，展现的是团队的力量。它磨合的往往不止是工作的熟悉，更是观念上契合度的贴近。3.这和工作是一样的道理。在各自的岗位上，每个人摆正自己的位置、各司其职充分发挥才能，并团结一致劲往一处使，才能实现最大的成功。新知:1.团队精神需要不断地创新。过去，人们把创新看作是冒风险，现在人们
c++ 的iostream 和 c++的stdio的区别和联系黄卷青灯77 c++算法开发语言 iostream stdio
在C++中，iostream和C语言的stdio.h都是用于处理输入输出的库，但它们在设计、用法和功能上有许多不同。以下是两者的区别和联系：区别1.编程风格iostream（C++风格）：C++标准库中的输入输出流类库，支持面向对象的输入输出操作。典型用法是cin（输入）和cout（输出），使用>操作符来处理数据。更加类型安全，支持用户自定义类型的输入输出。#includeintmain(){in
《投行人生》读书笔记小蘑菇的树洞
《投行人生》----作者詹姆斯-A-朗德摩根斯坦利副主席40年的职业洞见-很短小精悍的篇幅，比较适合初入职场的新人。第一部分成功的职业生涯需要规划1.情商归为适应能力分享与协作同理心适应能力，更多的是自我意识，你有能力识别自己的情并分辨这些情绪如何影响你的思想和行为。2.对于初入职场的人的建议，细节，截止日期和数据很重要截止日期，一种有效的方法是请老板为你所有的任务进行优先级排序。和老板喝咖啡的好
《策划经理回忆录之二》路基雅虎
话说三年变六年，飘了，飘了……眨眼，2013年5月，老吴回到了他的家乡——油城从新开启他的工作幻想症生涯。很庆幸，这是一家很有追求，同时敢于尝试的，且实力不容低调的新星房企——金源置业(前身泰源置业)更值得庆幸的是第一个盘就是油城十路的标杆之一:金源盛世。2013年5月，到2015年11月，两年的陪伴，迎来了一场大爆发。2000个筹，5万/筹，直接回笼1个亿！！！这……让我开始认真审视这座看似五线
Long类型前后端数据不一致 igotyback 前端
响应给前端的数据浏览器控制台中response中看到的Long类型的数据是正常的到前端数据不一致前后端数据类型不匹配是一个常见问题，尤其是当后端使用Java的Long类型（64位）与前端JavaScript的Number类型（最大安全整数为2^53-1，即16位）进行数据交互时，很容易出现精度丢失的问题。这是因为JavaScript中的Number类型无法安全地表示超过16位的整数。为了解决这个问
swagger访问路径 igotyback swagger
Swagger2.x版本访问地址：http://{ip}:{port}/{context-path}/swagger-ui.html{ip}是你的服务器IP地址。{port}是你的应用服务端口，通常为8080。{context-path}是你的应用上下文路径，如果应用部署在根路径下，则为空。Swagger3.x版本对于Swagger3.x版本（也称为OpenAPI3）访问地址：http://{ip
店群合一模式下的社区团购新发展——结合链动 2+1 模式、AI 智能名片与 S2B2C 商城小程序源码说私域人工智能小程序
摘要：本文探讨了店群合一的社区团购平台在当今商业环境中的重要性和优势。通过分析店群合一模式如何将互联网社群与线下终端紧密结合，阐述了链动2+1模式、AI智能名片和S2B2C商城小程序源码在这一模式中的应用价值。这些创新元素的结合为社区团购带来了新的机遇，提升了用户信任感、拓展了营销渠道，并实现了线上线下的完美融合。一、引言随着互联网技术的不断发展，社区团购作为一种新兴的商业模式，在满足消费者日常需
2021-08-26 影幽
在生活中，女人与男人的感悟往往有所不同。人生最大的舞台就是生活，大幕随时都可能拉开，关键是你愿不愿意表演都无法躲避。在生活中，遇事不要急躁，不要急于下结论，尤其生气时不要做决断，要学会换位思考，大事化小小事化了，把复杂的事情尽量简单处理，千万不要把简单的事情复杂化。永远不要扭曲，别人善意，无药可救。昨天是张过期的支票，明天是张信用卡，只有今天才是现金，要善加利用！执着的攀登者不必去与别人比较自己的
高级编程--XML+socket练习题 masa010 java 开发语言
1.北京华北2114.8万人上海华东2,500万人广州华南1292.68万人成都华西1417万人（1）使用dom4j将信息存入xml中（2）读取信息，并打印控制台（3）添加一个city节点与子节点（4）使用socketTCP协议编写服务端与客户端，客户端输入城市ID，服务器响应相应城市信息（5）使用socketTCP协议编写服务端与客户端，客户端要求用户输入city对象，服务端接收并使用dom4j
抖音乐买买怎么加入赚钱?赚钱方法是什么测评君高省
你会在抖音买东西吗?如果会，那么一定要免费注册一个乐买买，抖音直播间，橱窗，小视频里的小黄车买东西都可以返佣金!省下来都是自己的，分享还可以赚钱乐买买是好省旗下的抖音返佣平台，乐买买分析社交电商的价值，乐买买属于今年难得的副业项目风口机会，2019年错过做好省的搞钱的黄金时期，那么2022年千万别再错过乐买买至于我为何转到高省呢？当然是高省APP佣金更高，模式更好，终端用户不流失。【高省】是一个自
2018-07-23-催眠日作业-#不一样的31天#-66小鹿小鹿_33
预言日：人总是在逃避命运的路上，与之不期而遇。心理学上有个著名的名词，叫做自证预言；经济学上也有一个很著名的定律叫做，墨菲定律；在灵修派上，还有一个很著名的法则，叫做吸引力法则。这3个领域的词，虽然看起来不太一样，但是他们都在告诉人们一个现象：你越担心什么，就越有可能会发生什么。同样的道理，你越想得到什么，就应该要积极地去创造什么。无论是自证预言，墨菲定律还是吸引力法则，对人都有正反2个维度的影响
放下是一段成长的修行小莳玥
人来到这个世界上，只有两件事：生和死。一件事已经做完了，另一件你还急什么呢?是人，都有七情六欲。是心，都有喜怒哀乐，这些再正常不过了。别总抱怨自己活得累，过得辛苦。永远记住：舒坦是留给死人的。苦，才是生活；累，才是工作；变，才是命运；忍，才是历练；容，才是智慧；静，才是修养；舍，才会得到；做，才会拥有。人生，活得太清楚，才是最大的不明白。有些事，看得很清，却说不清；有些人，了解很深，却猜不透；有些
回溯 Leetcode 332 重新安排行程 mmaerd Leetcode刷题学习记录 leetcode 算法职场和发展
重新安排行程Leetcode332学习记录自代码随想录给你一份航线列表tickets，其中tickets[i]=[fromi,toi]表示飞机出发和降落的机场地点。请你对该行程进行重新规划排序。所有这些机票都属于一个从JFK（肯尼迪国际机场）出发的先生，所以该行程必须从JFK开始。如果存在多种有效的行程，请你按字典排序返回最小的行程组合。例如，行程[“JFK”,“LGA”]与[“JFK”,“LGB
今日联对0306 诗图佳得
自对联：烟销皓月临江浒，水漫金山荡塔裙。一一肖士平2020.3.6.1、试对肖老师联：烟销皓月临江浒，夜笼寒沙梦晚舟。耀哥求正2、试对萧老师联:烟销浩月临江浒，雾散乾坤解汉城。秀霞习作请各位老师校正3、自对联：烟销皓月临江浒，水漫金山荡塔裙。一一肖士平2020.3.6.4、试对肖老师垫场联：烟销皓月临江浒，雾锁寒林缈葉丛。小智求正[抱拳]5、试对肖老师联：烟销皓月临江浒；风卷乱云入峰巅。一一五品6
每日一题——第九十题互联网打工人no1 C语言程序设计每日一练 c语言
题目：判断子串是否与主串匹配#include#include#include//////判断子串是否在主串中匹配//////主串///子串///boolisSubstring(constchar*str,constchar*substr){intlenstr=strlen(str);//计算主串的长度intlenSub=strlen(substr);//计算子串的长度//遍历主字符串，对每个可能得
Python数据分析与可视化实战指南 William数据分析 python python 数据
在数据驱动的时代，Python因其简洁的语法、强大的库生态系统以及活跃的社区，成为了数据分析与可视化的首选语言。本文将通过一个详细的案例，带领大家学习如何使用Python进行数据分析，并通过可视化来直观呈现分析结果。一、环境准备1.1安装必要库在开始数据分析和可视化之前，我们需要安装一些常用的库。主要包括pandas、numpy、matplotlib和seaborn等。这些库分别用于数据处理、数学
《小满细雨轻湿尘》快乐的人ZZM
图片发自App《小满细雨轻湿尘》文/快乐的人zzm小满细雨轻湿尘石榴花开落纷纷落红不是无情物坠入泥土育养根2018-5-23
《庄子.达生9》钱江潮369
【原文】孔子观于吕梁，县水三十仞，流沫四十里，鼋鼍鱼鳖之所不能游也。见一丈夫游之，以为有苦而欲死也，使弟子并流而拯之。数百步而出，被发行歌而游于塘下。孔子从而问焉，曰：“吾以子为鬼，察子则人也。请问，‘蹈水有道乎’”曰：“亡，吾无道。吾始乎故，长乎性，成乎命。与齐俱入，与汩偕出，从水之道而不为私焉。此吾所以蹈之也。”孔子曰：“何谓始乎故，长乎性，成乎命？”曰：“吾生于陵而安于陵，故也；长于水而安于
水泥质量纠纷案代理词徐宝峰律师
贵州领航建设有限公司诉贵州纳雍隆庆乌江水泥有限公司产品质量纠纷案代理词尊敬的审判长、审判员：贵州千里律师事务所接受被告贵州纳雍隆庆乌江水泥有限公司的委托，指派我担任其诉讼代理人，参加本案的诉讼活动。下面，我结合本案事实和相关法律规定发表如下代理意见，供合议庭评议案件时参考：原告应当举证证明其遭受的损失与被告生产的水泥质量的因果关系。首先水泥是一种粉状水硬性无机胶凝材料。加水搅拌后成浆体，能在空气中
异常的核心类Throwable 无量 java 源码异常处理 exception
java异常的核心是Throwable，其他的如Error和Exception都是继承的这个类里面有个核心参数是detailMessage，记录异常信息，getMessage核心方法，获取这个参数的值，我们可以自己定义自己的异常类，去继承这个Exception就可以了，方法基本上，用父类的构造方法就OK，所以这么看异常是不是很easy package com.natsu;
mongoDB 游标（cursor）实现分页迭代开窍的石头 mongodb
上篇中我们讲了mongoDB 中的查询函数，现在我们讲mongo中如何做分页查询如何声明一个游标 var mycursor = db.user.find({_id:{$lte:5}}); 迭代显示游标数
MySQL数据库INNODB 表损坏修复处理过程 0624chenhong tomcat mysql
最近mysql数据库经常死掉，用命令net stop mysql命令也无法停掉，关闭Tomcat的时候，出现Waiting for N instance(s) to be deallocated 信息。查了下，大概就是程序没有对数据库连接释放，导致Connection泄露了。因为用的是开元集成的平台，内部程序也不可能一下子给改掉的，就验证一下咯。启动Tomcat,用户登录系统，用netstat -
剖析如何与设计人员沟通不懂事的小屁孩工作
最近做图烦死了，不停的改图，改图……。烦，倒不是因为改，而是反反复复的改，人都会死。很多需求人员不知该如何与设计人员沟通，不明白如何使设计人员知道他所要的效果，结果只能是沟通变成了扯淡，改图变成了应付。那应该如何与设计人员沟通呢？我认为设计人员与需求人员先天就存在语言障碍。对一个合格的设计人员来说，整天玩的都是点、线、面、配色，哪种构图看起来协调；哪种配色看起来合理心里跟明镜似的，
qq空间刷评论工具换个号韩国红果果 JavaScript
var a=document.getElementsByClassName('textinput'); var b=[]; for(var m=0;m<a.length;m++){ if(a[m].getAttribute('placeholder')!=null) b.push(a[m]) } var l
S2SH整合之session 灵静志远 spring AOP struts session
错误信息： Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cartService': Scope 'session' is not active for the current thread; consider defining a scoped
xmp标签 a-john 标签
今天在处理数据的显示上遇到一个问题： var html = '<li><div class="pl-nr"><span class="user-name">' + user + '</span>' + text + '</div></li>'; ulComme
Ajax的常用技巧（2）---实现Web页面中的级联菜单 aijuans Ajax
在网络上显示数据，往往只显示数据中的一部分信息，如文章标题，产品名称等。如果浏览器要查看所有信息，只需点击相关链接即可。在web技术中，可以采用级联菜单完成上述操作。根据用户的选择，动态展开，并显示出对应选项子菜单的内容。在传统的web实现方式中，一般是在页面初始化时动态获取到服务端数据库中对应的所有子菜单中的信息，放置到页面中对应的位置，然后再结合CSS层叠样式表动态控制对应子菜单的显示或者隐
天-安-门，好高 atongyeye 情感
我是85后，北漂一族，之前房租1100，因为租房合同到期，再续，房租就要涨150。最近网上新闻，地铁也要涨价。算了一下，涨价之后，每次坐地铁由原来2块变成6块。仅坐地铁费用，一个月就要涨200。内心苦痛。晚上躺在床上一个人想了很久，很久。我生在农
android 动画百合不是茶 android 透明度平移缩放旋转
android的动画有两种 tween动画和Frame动画 tween动画;,透明度,缩放,旋转,平移效果 Animation 动画 AlphaAnimation 渐变透明度 RotateAnimation 画面旋转 ScaleAnimation 渐变尺寸缩放 TranslateAnimation 位置移动 Animation
查看本机网络信息的cmd脚本 bijian1013 cmd
@echo 您的用户名是：%USERDOMAIN%\%username%>"%userprofile%\网络参数.txt" @echo 您的机器名是：%COMPUTERNAME%>>"%userprofile%\网络参数.txt" @echo ___________________>>"%userprofile%\
plsql 清除登录过的用户征客丶 plsql
tools---preferences----logon history---history 把你想要删除的删除 -------------------------------------------------------------------- 若有其他凝问或文中有错误，请及时向我指出，我好及时改正，同时也让我们一起进步。 email ： binary_spac
【Pig一】Pig入门 bit1129 pig
Pig安装 1.下载pig wget http://mirror.bit.edu.cn/apache/pig/pig-0.14.0/pig-0.14.0.tar.gz 2. 解压配置环境变量如果Pig使用Map/Reduce模式，那么需要在环境变量中，配置HADOOP_HOME环境变量 expor
Java 线程同步几种方式 BlueSkator volatile synchronized ThredLocal ReenTranLock Concurrent
为何要使用同步？ java允许多线程并发控制，当多个线程同时操作一个可共享的资源变量时（如数据的增删改查），将会导致数据不准确，相互之间产生冲突，因此加入同步锁以避免在该线程没有完成操作之前，被其他线程的调用，从而保证了该变量的唯一性和准确性。 1.同步方法&
StringUtils判断字符串是否为空的方法（转帖） BreakingBad null StringUtils “”
转帖地址：http://www.cnblogs.com/shangxiaofei/p/4313111.html public static boolean isEmpty(String str) 　　判断某字符串是否为空，为空的标准是 str== null 或 str.length()== 0
编程之美-分层遍历二叉树 bylijinnan java 数据结构算法编程之美
import java.util.ArrayList; import java.util.LinkedList; import java.util.List; public class LevelTraverseBinaryTree { /** * 编程之美分层遍历二叉树 * 之前已经用队列实现过二叉树的层次遍历，但这次要求输出换行，因此要
jquery取值和ajax提交复习记录 chengxuyuancsdn jquery取值 ajax提交
// 取值 // alert($("input[name='username']").val()); // alert($("input[name='password']").val()); // alert($("input[name='sex']:checked").val()); // alert($("
推荐国产工作流引擎嵌入式公式语法解析器-IK Expression comsci java 应用服务器工作 Excel 嵌入式
这个开源软件包是国内的一位高手自行研制开发的，正如他所说的一样，我觉得它可以使一个工作流引擎上一个台阶。。。。。。欢迎大家使用，并提出意见和建议。。。 ----------转帖--------------------------------------------------- IK Expression是一个开源的（OpenSource），可扩展的（Extensible），基于java语言
关于系统中使用多个PropertyPlaceholderConfigurer的配置及PropertyOverrideConfigurer daizj spring
1、PropertyPlaceholderConfigurer Spring中PropertyPlaceholderConfigurer这个类，它是用来解析Java Properties属性文件值，并提供在spring配置期间替换使用属性值。接下来让我们逐渐的深入其配置。基本的使用方法是：(1) <bean id="propertyConfigurerForWZ&q
二叉树:二叉搜索树 dieslrae 二叉树
所谓二叉树,就是一个节点最多只能有两个子节点,而二叉搜索树就是一个经典并简单的二叉树.规则是一个节点的左子节点一定比自己小,右子节点一定大于等于自己(当然也可以反过来).在树基本平衡的时候插入,搜索和删除速度都很快,时间复杂度为O(logN).但是,如果插入的是有序的数据,那效率就会变成O(N),在这个时候,树其实变成了一个链表. tree代码:
C语言字符串函数大全 dcj3sjt126com c function
C语言字符串函数大全函数名: stpcpy 功能: 拷贝一个字符串到另一个用法: char *stpcpy(char *destin, char *source); 程序例: #include <stdio.h> #include <string.h> int main
友盟统计页面技巧 dcj3sjt126com 技巧
在基类调用就可以了, 基类ViewController示例代码 -(void)viewWillAppear:(BOOL)animated { [super viewWillAppear:animated]; [MobClick beginLogPageView:[NSString stringWithFormat:@"%@",self.class]];
window下在同一台机器上安装多个版本jdk，修改环境变量不生效问题处理办法 flyvszhb java jdk
window下在同一台机器上安装多个版本jdk，修改环境变量不生效问题处理办法本机已经安装了jdk1.7，而比较早期的项目需要依赖jdk1.6，于是同时在本机安装了jdk1.6和jdk1.7. 安装jdk1.6前，执行java -version得到 C:\Users\liuxiang2>java -version java version "1.7.0_21&quo
Java在创建子类对象的同时会不会创建父类对象 happyqing java 创建子类对象父类对象
1.在thingking in java 的第四版第六章中明确的说了，子类对象中封装了父类对象， 2."When you create an object of the derived class, it contains within it a subobject of the base class. This subobject is the sam
跟我学spring3 目录贴及电子书下载 jinnianshilongnian spring
一、《跟我学spring3》电子书下载地址：《跟我学spring3》（1-7 和 8-13） http://jinnianshilongnian.iteye.com/blog/pdf 跟我学spring3系列 word原版下载二、源代码下载最新依
第12章 Ajax（上） onestopweb Ajax
index.html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/
BI and EIM 4.0 at a glance blueoxygen BO
http://www.sap.com/corporate-en/press.epx?PressID=14787 有机会研究下EIM家族的两个新产品~~~~ New features of the 4.0 releases of BI and EIM solutions include: Real-time in-memory computing –
Java线程中yield与join方法的区别 tomcat_oracle java
长期以来，多线程问题颇为受到面试官的青睐。虽然我个人认为我们当中很少有人能真正获得机会开发复杂的多线程应用(在过去的七年中，我得到了一个机会)，但是理解多线程对增加你的信心很有用。之前，我讨论了一个wait()和sleep()方法区别的问题，这一次，我将会讨论join()和yield()方法的区别。坦白的说，实际上我并没有用过其中任何一个方法，所以，如果你感觉有不恰当的地方，请提出讨论。 &nb
android Manifest.xml选项阿尔萨斯 Manifest
结构继承关系 public final class Manifest extends Objectjava.lang.Objectandroid.Manifest 内部类 class Manifest.permission权限 class Manifest.permission_group权限组构造函数 public Manifest () 详细 androi
Oracle实现类split函数的方 zhaoshijie oracle
关键字：Oracle实现类split函数的方项目里需要保存结构数据，批量传到后他进行保存，为了减小数据量，子集拼装的格式，使用存储过程进行保存。保存的过程中需要对数据解析。但是oracle没有Java中split类似的函数。从网上找了一个，也补全了一下。 CREATE OR REPLACE TYPE t_split_100 IS TABLE OF VARCHAR2(100); cr