NSS Labs defines the web application firewall (WAFs) as a stand-alone or virtual appliance, or as self-contained software designed to secure web-based traffic and prevent web servers and their applications from being exploited. Attackers are no longer simply attacking the web server and its underlying operating systems; they have moved up the stack and are attacking web applications running on the web server that front-end critical corporate data. Such applications are often complex and difficult to secure effectively, and simple coding errors can render them wide open to remote exploits. To regain the upper hand against current attacks, enterprises must evolve their network defenses to provide a different kind of protection.

WAFs employ a wide range of functions to work in conjunction with perimeter firewalls and intrusion prevention system (IPS) technologies and to provide protections specifically for web applications. WAFs should include HTTP/HTTPS protocol enforcement and native signature detection along with other protection mechanisms, such as URL normalization and scanning; positive or negative security enforcement model functionality (or both) that enforces proper application operation and page logic flow; and adaptive learning modules for automated policy updates. WAFs should be able to identify and police the use of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic.


NSS Labs’ Web Application Firewall (WAF) Group Test evaluates market-leading WAF products on their security effectiveness, performance, stability and reliability, and total cost of ownership (TCO). The test provides Comparative Reports and individual Test Reports to help enterprises make informed decisions to evolve and rationalize their cyber risk programs.

This Test Methodology describes how NSS will evaluate WAF products to provide an objective and fair assessment of the technology. Individual tests have been developed that represent real-world use cases of the WAF to protect web applications and other mission-critical applications sitting at the edge of an enterprise network.