Cross-site scripting poses problems for all tested WAFs

AUSTIN, Texas – September 30, 2014 – NSS Labs today released its first Web Application Firewall (WAF) Security Value Map™ (SVM) and Comparative Analysis Report™ (CAR) series, which evaluated 6 of the leading WAF products on the market for security effectiveness, performance, and total cost of ownership (TCO). Five of the six products tested received the coveted NSS “Recommended” rating and for the first time ever in NSS testing, no vendors received a “Caution” rating. Our enterprise research indicates that adoption continues to increase based on market awareness and the value of the web assets.

Learn More:

NSS Web Application Firewall Security Value Map and Comparative Analysis Reports

NSS’s research yielded several key conclusions:

  • All Products Tested Score High for Security Effectiveness: In this first test, 5 of the 6 products tested scored over 99.76% for security effectiveness and all products successfully protected against evasions. The overall range of scores for security effectiveness was 96.11 – 99.97%. While most of the vendors tested had a high security effectiveness score, enterprises need to understand that it can take only one attack to compromise a Web server, therefore an improvement of 0.20% can make a significant difference in protection.
  • Cross-site scripting remains a challenge: All vendors missed attacks in this category, which is one of the most prevalent flaws in web applications and allows an attacker to send a malicious script via the web application to unsuspecting users of the website.
  • It’s a “Buyer’s Market” for Enterprises Looking to Implement WAF: In order to capture the relative value of devices in the market, NSS developed a unique metric, TCO per protected connections per second (CPS). The TCO for WAFs tested ranged from $1.93 to $15.85, with 5 of the 6 products under $4.89.
  • Most WAFs Tested Performed Above Capacity: In testing, 5 of the 6 WAF products tested outperformed their vendor-stated capacity (connections per second) and two vendors achieved rates over 200% higher than their stated rates. Vendor capacity ranged from 3% to 323% above their stated rates.

Commentary: NSS Labs CEO Vikram Phatak

“PCI compliance helped to broaden the potential market for WAF, but is only one use case. With the increased dependence on web services, as well as the notable exploits discovered this year such as Heartbleed and Shellshock, WAF adoption will continue to accelerate as enterprises invest in protecting these mission critical assets,” said Vikram Phatak, CEO of NSS Labs. “

The NSS Labs NGFW Security Value Map™, Comparative Analysis Reports™, and Product Analysis Reports™ for each vendor are currently available to NSS Labs’ subscribers at

The products covered in the 2014 WAF Group Test are:

  • Barracuda Networks Web Application Firewall 960
  • Citrix NetScaler AppFirewall MPX 11520
  • Fortinet FortiWeb 1000D
  • F5 Big-IP ASM 10200
  • Imperva SecureSphere x6500
  • Sangfor M5900-F-I