1 Introduction
With the accelerated development of China's digitalization process, the number of web sites and various applications has shown explosive growth. At the same time, the number of attacks using web vulnerabilities is also increasing day by day, and hacker attacks are constantly escalating, including various anthropomorphic automation attacks, API attacks, and zero-day attacks, which bring huge challenges to the security protection of web applications.
Traditional Web Application Firewall (WAF) mainly uses rule matching and blacklist-based attack detection methods to prevent known attacks, although it has certain security protection capabilities, it is unable to deal with complex, automated, and intelligent attack methods. At the same time, we also found that the security needs of users in many industries are also changing from regulatory compliance to pay more attention to the actual effect of attack and defense, and also require WAF to have intelligent, accurate, and flexible practical capabilities.
The introduction of new technologies such as big data and artificial intelligence has transformed web application protection from traditional single defense such as signature database and blacklist to a multi-service and intelligent comprehensive defense system that combines security baseline self-learning Xi, intelligent malicious script identification, real-time defense robot automatic attack, etc., which is defined as "modern WAF".
In order to objectively and truly reflect the market and industry application of modern WAF, Digital Consulting wrote the "Modern WAF Market Guide" through data collection, questionnaire research, enterprise interviews, market data analysis and other methods. At the same time, the report also sorts out and describes the concept, market size, and industry demand of modern WAF for the reference of industry insiders.
2 Key findings
To identify and prevent bot attacks and various malicious script attacks, modern WAFs have two countermeasures: one is based on precise rule bases, and the other is not based on new technology applications, such as dynamic verification, semantic analysis, and behavior analysis.
Modern WAFs protect a wider range of objects, not only to provide security protection for web sites, but also to identify and protect applications such as APIs, apps, and applets, whether these applications are running in the cloud or on-premises.
Statistics for 2022 show that cloud WAF (accounted for 44.8%) has already surpassed the market share of hardware WAFs (42%), and this share will continue to expand in the future.
According to the survey statistics, the scale of China's web security protection (WAF) market will reach 3.5 billion yuan in 2022, and it is estimated to reach 4.2 billion yuan in 2023, and it is expected that by 2026, the WAF market size is expected to reach 7 billion yuan. Hyundai WAF products currently account for about 30% of all WAF market shares, and it is expected that in the next three to five years, Hyundai WAF products will gradually become mainstream and occupy the majority of the market share of WAF products.
At present, the main demand for WAF products is still regulatory compliance, and the top four industries in demand are: finance (164%), ministries (161%), operators (158%) and national defense public security (115%)。Modern WAF products in China are generally optimized for regulatory scenarios, such as providing more optimized security operation functions in log auditing and application monitoring.
In key application scenarios such as HW, heavy protection, and attack and defense drills, modern WAFs can effectively defend against web attacks, improve defense capabilities, and obtain attacker information in a timely and accurate manner, providing defenders with more tactical options. For example, a "programmable defense platform" that combines the concept of offensive and defensive integration with modern WAF realizes agile defense and improves the actual combat capability of modern WAF by converting offensive and defensive experience into defense templates in real time and quickly delivering them.
3 Conceptual description
Through the research on the domestic market demand and application, the following definition of Hyundai WAF has been made:
Modern WAF is a web application security solution that integrates multiple security detection engines and has intelligent, automated, and integrated protection capabilities, which can not only monitor, filter, and block traditional web application attacks such as SQL injection, cross-site scripting attacks, application vulnerability attacks, and denial-of-service attacks, but also deal with new threats such as bot attacks, application-layer DDoS, and advanced persistent threats (APT), and support security protection for multiple business applications such as APIs and mini programs.
In addition to the threat protection capabilities of traditional WAFs, modern WAFs also have the following key capabilities:
Threat identification and protection based on non-rule databases
For example, intelligent analysis technologies such as dynamic verification, semantic analysis, and behavior analysis are used to identify and prevent bot attacks and various malicious script attacks.
Multi-scenario application security protection
It not only provides protection capabilities for web**, but also supports security protection for various business scenarios such as APIs, apps, and applets based on web applications.
Supports cloud-based deployment and elastic protection performance
Deployed in the cloud environment through virtualization or cloud native, the protection performance changes elastically based on different requirements.
The protection function is modular to meet the needs of customization
Modular delivery of functions, users with different application scenarios or needs can flexibly choose without secondary development.
Hyundai WAF Optional Capabilities:
Web access optimization
Web tamper-proof
Form encryption is obfuscated with information
Sensitive data leakage prevention
National cryptography algorithm support
Cooperate with other security tools, such as scans, anti-DDoS, firewalls, etcWe have also noticed that the concept of WAAP (Web Application and API Protection) has attracted a lot of attention in the field of web security in the past two years. WAAP emphasizes that API protection is as important as web application protection. However, API security protection faces many challenges, such as a large number of APIs, variable interface types, sensitive and complex transmission data, and process barriers such as cross-system collaboration. In fact, modern WAFs and WAAPs have limited API protection capabilities, and API security protection requires more specialized products to implement them.
Note: All references to "modern WAF" in this report refer to WAF solutions as defined in this concept, while only "WAF" refers to traditional WAF products or solutions.
4 Market Guide
4.1 Capability Enterprise
The WAF vendors selected for this report are (in alphabetical order of company abbreviation): Anheng Information, Anshu Cloud, Telecom Security, Guanan Information, Inspur Cloud, NSFOCUS Technology, Ruishu Information, Saining Network Security, Shanshi Network Technology, Shengbang Security, Tianrongxin, Tencent Security, Wangsu Security, Yundun Wisdom, and Yunke Anxin, a total of 15 companies, and according to the horizontal axis - market execution, vertical axis - application innovation as the basis, through the ability point matrix chart as follows:
Dot plot of the capability of domestic modern WAF manufacturers.
Note: Some vendors did not participate in the ranking due to their own reasons).
In order to more objectively reflect the characteristics of each capable enterprise in the new track, and facilitate end users to choose security companies that are more suitable for their own needs as potential cooperation objects, Digital Consulting further dismantles the "market execution" of the horizontal axis of the dot plot into four dimensions: market revenue, brand influence, industry breadth, and industry depth, and further dismantles the "application innovation" into product engineering, business scenarios, theory and basic research, There are four dimensions of technology integration, and the above eight dimensions are shown in the form of radar charts as follows (in alphabetical order of company abbreviation):
Radar chart of the capabilities of domestic Hyundai WAF manufacturers.
Note: Some vendors did not participate in the ranking due to their own reasons).
4.2 Market Overview
According to the statistics of this survey, the market size of web security protection (WAF) in 2022 will be 3.5 billion yuan (note: the data of the above-mentioned enterprises that have not participated in the market ranking are also counted), and according to the estimates of the WAF revenue of the participating security vendors this year, the WAF market size will be about 4.2 billion yuan in 2023, and the WAF market size is expected to reach 7 billion yuan by 2026, with a compound annual growth rate of about 20% for the overall WAF market.
It should be mentioned that most of the sales data is still the sales share of traditional WAF products, of which the sales of modern WAF products are estimated to account for nearly 30%, and we also found that almost all manufacturers are changing to modern WAF solutions or WAAP solutions in terms of solutions and product promotion, and it is expected that in the next three to five years, modern WAF products will gradually become the mainstream and occupy the majority of the market share of WAF products.
WAF market size**.
Before 2021, the WAF market was still the home of hardware WAF, but the data shows that since 2022, the sales of cloud WAF have surpassed that of hardware WAF (as shown in the figure), and with the rapid development of cloud computing and the continuous release of cloud business security needs, the market share of cloud WAF will continue to grow in the next few years.
WAF product form.
Diversified product forms such as software WAF, hardware WAF, and cloud WAF provide more choices for different customers, and the overall market for WAF products will grow rapidly, but several generations of consulting research have found that the growth rate of the three forms of WAF products is different, and it is expected that by 2026, the development trend of the three types of WAF products is as follows:
5-year trend of different forms of WAF products**.
4.3 Needs analysis
According to the industry in which institutional users are located, the top four industries are: finance (164%), ministries (161%), operators (158%) and national defense public security (115%), and the proportion of complete industry demand is shown in the figure below
Proportion of industry demand.
With the increase of security risks in the industry and the upgrading of customer needs, the survey found that more customers' demand for WAF products is no longer limited to regulatory compliance, but is more oriented towards actual combat and continuous operation. The main demand factors driving the development of Hyundai WAF in the domestic market are:
Requirement 1: New regulations and policies strongly drive the implementation of WAF applications
After the promulgation of the new Cybersecurity Law and the Data Security Law, security compliance has become one of the priority factors for enterprises. Combined with the regulatory requirements of the industry, government and enterprise users have clear regulatory compliance requirements for WAF products, and we found that domestic WAF products are generally optimized in terms of functions for regulatory requirements, and provide more optimized security operation functions in log audit and application monitoring, which are used to assist users in compliance testing and risk assessment.
Requirement 2: The performance and scalability of WAF products are required by the expansion of business scale
WAFs need to be able to handle ultra-large-scale business traffic to ensure sufficient throughput and low latency when a large number of requests arrive. The current software WAF and cloud WAF products that support software-based deployment have more advantages in meeting this requirement, while the hardware WAF that supports clustered deployment can also meet such requirements to a certain extent, but the excessive procurement cost also limits the user's choice.
Requirement 3: WAF is used to improve combat effectiveness in key business scenarios
In key scenarios, such as HW, Heavy Protection, and attack and defense drills, WAF is required to effectively defend against web attacks, improve defense capabilities, and obtain attacker information to provide more tactical options for defenders. In addition to using accurate threat intelligence to quickly detect and intercept attacks, modern WAFs can also apply machine Xi models to achieve fast path tracking of attack behaviors through automatic security analysis, help users quickly locate the source of problems, greatly shorten the time window from vulnerability exploitation to invention, and meet the needs of actual combat capabilities.
For example, Yunke Anxin proposes the concept of "programmable defense platform" for the integration of attack and defense, which combines the defense functions into "defense templates" according to scenarios, so that users do not need to understand and learn Xi complex security defense principles and functions, but only need to refer to the corresponding defense templates according to the business scenarios to be protected. On the one hand, it greatly reduces the threshold for the use of modern WAF, and on the other hand, through the rapid delivery of defense templates, agile defense is realized, and the actual combat effectiveness of modern WAF is improved. In order to take the "lead" in the confrontation between attack and defense, Yunke Anxin uses hacker portrait technology to build a profile model that reflects the style of hackers by analyzing the attack behavior, means and style characteristics of hackers, which is used to judge and identify specific hackers or organizations, so as to develop attack activities and formulate targeted defense strategies.
Requirement 4: Defend against intelligent and automated attacks
Automated bot attacks and various crawler attacks greatly improve the attack efficiency, which can easily bypass the protection rules of traditional WAFs and continuously challenge the defense capabilities of modern WAFs. We have also noticed that some domestic manufacturers have given Hyundai WAF more intelligent ability to detect attacks and threats based on leading technologies such as dynamic defense and semantic analysis, and have greatly improved Hyundai WAF's self-learning Xi and adaptability through artificial intelligence technologies such as machine learning Xi and behavior analysis. Hyundai WAF is becoming an AI system that integrates multiple security detection engines, and the application of AI technology to enhance the adaptive defense capability of Hyundai WAF is an important trend to deal with changeable and complex threats.
Requirement 5: Multi-business security protection such as APIs, apps, and mini programs
With the continuous expansion of the use of APIs and mini programs, security threats such as unauthorized access, parameter tampering, and replay attacks are also increasing. For access channels such as APIs and mini programs, Hyundai WAF implements risk scanning and evaluation of interfaces and business logic, and prevents risks such as data leakage and business intrusion by restricting access to interfaces and filtering sensitive data.
Demand 6: Industry differentiated demand
Different industries have differentiated demands in terms of network security, which promotes the development of WAF products in the direction of functional diversification. For example, the financial industry needs to focus on protecting the security of core business system interfaces, so there is a strong demand for WAF's API protection capabilities. Telecom operators use virtualization technology in large quantities and require WAF to implement security protection for cloud services through lightweight virtualization technology. Important industries such as energy and transportation need to support OT business systems, which requires cluster deployment and unified management. The different needs of various industries are driving WAF vendors to integrate a wide range of modularity capabilities that can be freely selected.
5 Application Cases
5.1 Application case of modern WAF in banks (1).
Case provided by: Ruishu Information].
a.Background of the case
In order to facilitate customer access and rapid customer development, a large bank provides customers with a variety of access channels, including mobile banking APP access, web access, H5 access, WeChat access, mini program access and API access. With the increase of traffic and the expansion of the web exposure risk and risk control chain brought by the API business, not only the incidents of various attacks using web application vulnerabilities are increasing day by day, but the impact of various anthropomorphic automation attacks, API business attacks, and zero-day attacks on the financial digital business is also increasing rapidly, and the attack methods are becoming more and more diversified.
1. Attacks are becoming more and more large-scale and operational
In order to make financial gains, professional hacker groups use automated attacks (bots) to carry out large-scale attacks on the financial industry. This kind of automated attack that simulates legitimate business operations without obvious attack characteristics, and uses automated tools to simulate the user's normal login, account opening, transfer, transaction, information query and other business operations, and illegal abuse of the OpenAPI interfaceAt the same time, vulnerability scanning and zero-day sniffing tools are used to detect application system vulnerabilities in batches, showing a trend of high professionalism and strong pertinence in terms of attack methods.
2. Single-point defense is passive and inefficient
At present, financial enterprises mainly use single-point passive defense technology for the security risks faced by various applications, and the overall application security protection capability is poor. Relying only on a single point of application protection products and solutions is not only complex and costly to maintain. Moreover, it cannot effectively protect against emerging threats, and lacks the ability to correlate and analyze application security data.
b.Solution
Ruishu's next-generation WAF-WAAP security platform realizes unified protection of mobile banking APP, Web**, H5 page, WeChat, applet and API interface through dynamic defense technology, and realizes the integration of various access client data on the next-generation WAF-WAAP security platform. The account information correlates and scores the access data of each platform to realize the linkage of multi-platform business information and threat perception, and achieve the purpose of accurately identifying and intercepting malicious automated illegal requests. Specifically, it was realized:
Unified protection for omnichannel access: Realize unified protection of omni-channel services (mobile banking APP, web**, H5 page, WeChat, mini program and API interface).
Unified and integrated analysis of cross-channel dataRealize the integration of various access client data, and associate and reputation score the access data of each platform through the best IP and account information, realize the linkage of multi-platform business information and threat perception, and achieve the purpose of accurately identifying and intercepting malicious automated illegal requests.
Establish a unified standard for application securityEstablish standard security for rapid online deployment, standardize the entire security process, realize heterogeneous integration, meet the seamless connection of security capabilities, and reduce the cost of financial business innovation.
c.Program features:
1. Collaborative protection of web applications
Integrate the adaptation and scalability of traditional architecture and cloud applications in multiple scenarios, migrate from traditional network boundaries to various web applications, app applications, and API cloud services, build a trusted security architecture that focuses on business logic, users, data, and applications, and comprehensively resist new security threats. After the system is deployed, it greatly improves the ability to identify and track fraud**, and can control the whole picture of attacks throughout the process, and establish an all-round three-dimensional combat capability against cyberspace threats.
2. Security technology changes, turning passive into "active defense".
Dynamic security defense technology, no need to rely on rules and patches, to provide proactive security protection for ** security. With the "dynamic protection" technology as the core, the "invisibility" of server behavior is increasedIt provides proactive defense for the business layer, efficiently screens known and unknown automated attacks that disguise and impersonate normal behaviors, and blocks unknown threats.
3. New ideas based on AI technology
Identify anomalous attacks by using multiple threat models that machines Xi and block identified attack requests. Each threat model represents a specific attack category (SQL injection, cross-site scripting, OS command injection, etc.). These threat models are extensively trained and tested using data collected from hundreds of thousands of real-world attack samples from a variety of sources, including threats such as CVE and Exploit DB, as well as threat intelligence, and third-party vulnerability scanners, to uncover highly stealthy attacks, increase detection rates, and reduce false positives and false positives. It further filters out the noise of automated attacks, making big data risk control more accurate and efficient, and greatly reducing the risk of online transaction fraud.
4. Strengthen protection against emerging bots threats
The bots protection capability can effectively defend against efficient large-scale attacks initiated by automated tools, such as malicious crawlers, credential stuffing, false registration, transaction tampering, intranet security, API abuse, and zero-day attacks, and ensure security upgrades at the business, application, and data levels. The dynamic verification technology is based on the dynamic algorithm technology, and the logic and form of the terminal inspection ** are different each time, and the attacker cannot predict the content of the check, and it is difficult to bypass itEven if you try to reverse **, it will only be effective this time, and you must reverse it again next time, and the cost of attack is extremely high. The dynamic verification technology solves the problem of easy reverse and bypass in the same type of scheme around the worldThrough the verification of the real operating environment and the analysis of terminal attack behavior patterns, it can fully grasp the full picture of the attack and accurately depict the portrait of the attacker.
d.Application value
[gf]2022[ gf] Solve business security problems
By connecting all web, APP and API applications are all connected to the platform, and the collection of access client information is realized through dynamic security technology, combined with full access records, and the use of big data technology to uniformly summarize access logs, conduct comprehensive correlation security analysis, and discover possible attack behaviors, effectively intercept various automated attack behaviors, and prevent various business attacks initiated by the black market, such as: batch queries and abnormal transaction behaviors initiated by automated tools are effectively blocked, and abnormal behaviors of overseas IP using multiple accounts for frequent login and transactions。 In addition, the next-generation WAF - WAAP security platform has the ability to protect against unknown attacks, protect business systems from zero-day vulnerability attacks, provide enough time for security operation and maintenance to fix vulnerabilities, and provide relevant front-line departments with automatic tools to intercept, security alarms, data output, and give processing suggestions, so as to achieve unified security threat protection and analysis.
[GF]2022[ GF] Reduce the economic losses of financial enterprises
In order to improve economic efficiency, financial enterprises often organize first-class activities, and a large number of wool parties use automation tools to take away a large number of first-class investment in financial enterprises, which has brought huge economic losses to enterprises. In addition, through the next-generation WAF - WAAP security platform, you can clearly understand that real users are more enthusiastic about those businesses, which businesses have a large number of users, and which activities can attract more registered users, so as to assist in business promotionUnderstanding the user's behavior model through user portraits can achieve precision marketing and increase revenue.
[gf]2022[ gf] helps the financial industry fight against the black industry chain
The successful experience of the project has explored a new way for the financial industry to fight against the black industry, first of all, it started from the core part of the black industry chain, "automation tools", so that all automation tools can not operate, so as to break the black industry chain;Secondly, based on the omni-channel protection of Web, APP, and API services, cross-channel data fusion, business security perspective, and unified management of application security, a security joint defense posture is formed, and security capabilities are greatly improved.
e.Reviews for several lifetimes
With the acceleration of financial digitalization and the increasing number of customer access channels, the financial industry is facing increasing security threats, and the traditional rulebase-based WAF defense technology is difficult to effectively deal with, and financial enterprises urgently need a new generation of web application security solutions. The modern WAF solution of Ruishu Information integrates dynamic defense, AI and bot protection technologies, which can realize the security protection of omni-channel Web business.
5.2 Application cases of modern WAF in banks (2).
Case provided by: NSFOCUS Technology].
a.Background of the case
The demand for digital transformation has given rise to higher standards for network security construction in financial institutions, and the banking industry is making every effort to build digital banking, open banking, scenario finance, etc., which forces banks to pay more attention to online operations, which not only requires further expansion of bank openness, but also puts forward higher requirements for security risk control.
Banks have a large number of core web services, and web security construction is indispensable. Financial users will pay attention to business security, microservice architecture, cluster deployment, etc., and with the growth of business, the requirements for high availability are getting higher and higher. Hyundai WAF is a security product that protects against web attacks and protects banking business.
The current situation of a well-known bank is that its business exists in multiple places, there are many websites that need to be protected, and there are both IPv4 and IPv6 environments. The problems that the bank customer needed to solve were: how to unify the protection of 300+ sites, how to scale out the security equipment when adding new services in the future, and how to avoid single points of failure.
b.Solution
In this project, the cluster pool of modern WAF is adopted, combined with the centralized management of the group to solve:
c.Program features:
(1) Modern WAF reverse ** deployment
With reverse resource pooling deployment, when new services are added on the customer side, there is no need to replace new equipment, and the demand can be met by expanding the WAF resource pool. Modern WAF first implements efficient web security management through service stability detection and centralized policy management, and then uses the Auto Last Hop mechanism of F5 load balancing to ensure that the real source IP does not change when waf** traffic, which is convenient for security risk traceability.
(2) Centralized management of WAF
Through the centralized management platform ESPC, the WAF is centrally managed, the health of devices can be monitored in real time, and equipment problems can be quickly discovered and disposed of, which can greatly improve O&M efficiency.
The capabilities implemented by the centralized management platform include:
Mixed centralized managementFor a large number of WAF devices deployed by customers, whether it is local multi-unit deployment, off-site deployment, or cloud and local combined deployment, ESPC is used to implement a management node to solve the problem of multiple control of users, which consumes time and wastes manpower investment.
Policies are centrally managed: The centralized management platform can solve the pain point of configuring multiple WAFs one by one. After centralized management, the configuration can be uniformly distributed through the platform, solving the unexpected scenario of manual errors in the original manual configuration one by one. In addition to supporting one-click delivery of policy configurations to save O&M costs, Hyundai WAF also supports automatic scripts to enter policy change operations in advance in the centralized management platform, grayscale verification in advance, and one-click application of change time to ensure that changes can be completed quickly and accurately at night. Through centralized management, O&M efficiency is greatly improved, and it takes only 4 hours to configure a policy for 200 WAFs, which took 20 hours.
Service stability monitoring: On one platform, you can directly reach the running status of all WAFs and monitor the health of the equipment in real time. The WAF disk status, CPU status, traffic status, log processing rate, service status, data access status, basic services, application container status, and vulnerability confirmation status are monitored on a daily basis. Once an abnormal WAF is found, the system quickly handles the problem and switches traffic.
Automate O&M: Modern WAF can produce rapid release tools based on the unified alarm format specifications required by customers. In addition, through the fully open API interface and the customer situational awareness platform, the automatic operation and maintenance system with full scenarios and flexible operation can be realized, and the script can be written based on typical web security scenarios, and the operation and maintenance integration can be realized through automatic script encapsulation and calling.
d.Application value
gf]2022[ gf] is more stable and ensures business reliability.
gf]2022[ gf] Add or remove cluster devices, which can be cutover and upgraded at any time.
GF]2022[ GF] When reporting an emergency, traffic can be quickly cut off to eliminate interference.
GF]2022[ GF] An all-in-one solution that takes into account web security, API security, and bot securitye.Reviews for several lifetimes
This solution solves the problem of unified web security protection for 300+ bank sites, and how to horizontally expand security capabilities when new business nodes are added in the future, while avoiding single points of failure. The solution is deployed using modern WAF resource pools, which provides stronger service stability and higher reliability, while greatly reducing customers' web security operating costs and avoiding the risk of single point of failure. For the launch of new services and the expansion of old services, the capacity expansion is also achieved without network disconnection.
the end 】—