Web application firewalls (WAF) are a growing segment of the security market. In 2016, NSS Labs conducted an independent study to gain insight into enterprise WAF deployment, integration, labor and maintenance, and perceived value. In this study, 128 cybersecurity officers (n=128) from Global 2000 companies that actively deploy WAFs and that are headquartered in North America participated in an online survey. In Part 1 of this blog, we reported our results on WAF deployment methods and HTTP/2. In Part 2, we discuss our findings on WAF integration, labor and maintenance, and perceived value.

Key Findings:

  • 40% of respondents believe their WAFs integrate moderately well into their security architecture, and 39% believe their WAFs integrate very well
  • On average, respondents view WAFs favorably in terms of security, performance, value, and usability, though data suggests there is room for improvement
  • 61% of respondents feel that WAF products require a moderate amount of labor to administer and maintain, while 20% indicated that WAFs require a lot of labor


For enterprises deciding whether or not to deploy a WAF, a key factor in the decision is how well the product integrates with their environment. Several factors can affect integration, including form factor (inline or cloud-based), the extent of the required changes to enterprise web application code, how the product handles SSL traffic, and so on. In our survey, we asked respondents to rate how well WAFs integrate into their security architectures. Results were favorable, with 39% and 40% of respondents reporting that their WAFs integrate very well and moderately well, respectively. Notably, none of the participants chose the answer “not well at all.”

Perceived Value

Survey respondents were asked to rate WAF technology in terms of security, performance, value, and usability on a 5-point scale, with 5 being the most favorable. Very few respondents gave top marks on any of the factors, which suggest that there may be room for improvement. However, taken in aggregate, the mean ratings trend positively.

Labor and Maintenance

According to a 2016–2017 report from the U.S. Bureau of Labor Statistics, the demand for security analysts is growing more than twice as fast as demand for other professions. A 2015 report by Peninsula Press examining Bureau of Labor Statistics found that demand for security professionals is expected to grow by 53% through 2018. Given today’s hiring landscape, the labor requirements of security products are a growing concern for enterprises struggling to fill open requisitions. We asked cybersecurity professionals to rate the amount of labor their organizations need to administer and maintain WAFs. Most respondents (61%) indicated that WAFs take a moderate amount of labor to maintain.

Our research suggests that WAFs are generally well received by the enterprise for their ability to integrate into security architectures, and enterprises appear fairly satisfied with their WAFs in terms of security, performance, usability, and overall value. A significant concern, however, is the amount of labor required to maintain WAFs, especially given the changing labor market. We predict that the future leaders in this market space will be the vendors whose products offer the greatest automation and usability while maintaining the highest levels of security efficacy.

1 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts, on the Internet at

2 1Setalvad, A. (2015) Demand to fill cybersecurity jobs booming. Peninsula Press, a Project of Stanford Journalism, on the Internet at