Web Application Firewall (WAF) – A Critical Defence for an

“Information-Centric World”

March 2010

2

WAF : Vendor Dynamics

WAF : Market Opportunities

Dispelling Some Common Misconceptions

WAF : Market Overview (APAC)

Agenda

3

Web Application Vulnerabilities

Insufficient Authentication

Cross-Site Request Forgery

Cross-Site Scripting

Content Spoofing

SQL injection

Insert PIC

4

What is WAF?

Do I really

need WAF?

What exactly

is WAF?

Network Firewall

IDS / IPSWeb Proxy

Vulnerability Scanning Tool

5

Common Market Confusion Towards WAF

19.3%

36.7%

11.7%

13.0%

16.3%

19.3%

User

authentication

IDS/IPS

Access control

Integrity of Web

application

Network

security

Security in

general

What is the first function that comes to mind when I mention theterm ‘Web Application Firewall’? – Top 6 Responses

Source: Frost & Sullivan

6

Common Market Confusion Towards WAF

44.7%

48.3%

49.3%

55.0%

69.0%

74.7%

18.3%

29.0%

31.7%

16.7%

16.0%

14.0%

37.0%

22.7%

19.0%

28.3%

15.0%

11.3%

0% 20% 40% 60% 80% 100%

A WAF is only needed for custom

applications

WAF is only required if a company wants

to be PCI-DSS compliant

I will invest in a WAF to secure my Web

applications

Having a powerful network firewall is

sufficient to make up for the lack of a

WAF

Even the best-designed web

applications will require protection from a

WAF

Deploying a WAF is necessary in the

current climate of application attacks

from the Web

% of respondents

Agree Neutral Disagree

Agreement Towards Statements Concerning Web Application Firewall

Source: Frost & Sullivan

7

Frost & Sullivan defines web application firewall (WAF) as a security

technology, either hardware or software that sits before the web server

and analyzes layer 7 traffic (a whole session, not packets) to protect

applications from attacks aimed at exploiting vulnerabilities found in the

applications.

Market Definition of WAF

8

Evolution of WAF

First Generation WAF would scan the web applications for vulnerabilities and generate a set of rules that would protect those vulnerabilities.

Third Generation WAF scans and maps a website or a web application to create and allow everything except that which has explicitly been disallowed by the rule set. This is a “negative security”model.

9

WAF : Vendor Dynamics

WAF : Market Opportunities

WAF : Market Overview (APAC)

Dispelling Some Common Misconceptions

10

Business Drivers

Increased adoption of Web-based application

!

Sophisticationof threats!

Regulatory compliance!

Data breaches !

Fallingproduct price !

11

Business Restraints

Limited awareness about WAF

High-level of static websites

Low priority in IT budget

Lack of executive mandate on security

Substitute products

12

WAF : Vendor Dynamics

WAF : Market Overview (APAC)

Dispelling Some Common Misconceptions

WAF : Market Opportunities

13

Key Highlights:

• CAGR of 47.6% in the APAC WAF market,

during the forecast period 2009-2012.

• Internet is booming in APAC, especially

China and India markets.

• There’s a growing trend among

corporations in the use of Web 2.0, which

compounds the need for web application

securities.

WAF: How Big Is It?

CAG

R =

47.

6%

CAG

R =

47.

6%

Note: All figures are rounded. The base year is 2009. Revenue in US$ million. Source: Frost & Sullivan

14

WAF: APAC Markets Opportunity

Note: All figures are rounded. The base year is 2009. Revenue in US$ million. Source: Frost & Sullivan

High

High

Low

Greater Greater

ChinaChina

South KoreaSouth Korea

JapanJapanANZANZ

ASEANASEANIndiaIndia

2009 APAC revenue

$38.8 million

Japan

33%

S.Korea

21%

Greater

China

19%

ANZ

14%

Asean

10%

India

3%

15

• BFSI faces strict regulatory compliance for its security measures, mainly because data loss incidents have happened in the past, and safeguarding reputation and restoring public confidence is a priority.

• The nature of e-commerce indicates a high level of usage and adoption of web & online applications. Risk of brand name and competitiveness damage.

• Increase in e-government initiatives and services which create the demand for web application security.

• Particularly, the concern of many governments to prevent cyber-terrorism has become more pertinent.

• Penetration of Web 2.0 into enterprises creates need to manage, control and secure traffic flow.

Demand Analysis – By Verticals

BFSI

18.7%

Others

12.9%

Edu

9.6%

MFG

9.6%

SP

12.7%E-

Commerce

18.3%

Gov't

18.2%

2009 APAC revenue$38.8 million

Note: All figures are rounded. The base year is 2009. Revenue in US$ million. Source: Frost & Sullivan

16

WAF : Market Opportunities

WAF : Market Overview (APAC)

Dispelling Some Common Misconceptions

WAF : Vendor Dynamics

17

APAC Vendor Landscape

Stand-alone

Vendors

Converged

Product Vendors

18

Competitive Landscape – Points of Differentiation

19

Strategic Recommendations to WAF Vendors

Localization

Channel Strength & Support

Customer Engagement

Awareness & Education

Compatibility

20

Next steps

• Request a proposal for a Growth Partnership Service to support you and your team to accelerate the growth of your company.

• Join us at a Growth, Innovation and Leadership 2010: A Frost & Sullivan Global Congress on Corporate Growth (www.frost.com/gilglobal)

• Register for Frost & Sullivan’s Growth Opportunity Newsletter and keep abreast of innovative growth opportunities(www.frost.com/news)

21

Your Feedback is Important to Us

Growth Forecasts?

Competitive Structure?

Emerging Trends?

Strategic Recommendations?

Others?

Please inform us by taking our survey

What would you like to see from Frost & Sullivan?

22

For Additional Information

Name: Sarah Lourdes

Corporate Communications (ICT)

+603.6207.1030

sarah.lourdes@frost.com

Name: Cathy Huang

Industry Analyst (ICT)

+65.6890.0249

cathy.huang@frost.com

Name: Arun Chandrasekaran

Industry Manager (ICT)

+65.6890.0992

arun.c@frost.com

Name: Cedric Chong

Account Manager (ICT)

+65.6890.0227

cedric.chong@frost.com