Selling WAFs: Your Biggest Questions Answered

Industry experts share their insights and advice on how to expand your portfolio to offer web application firewalls (WAFs).


Businesses and organizations that use protected or sensitive data and use web applications need to protect that information. So, which companies does that include? If you take a close look at your client list and the solutions they use, a web application firewall (WAF), which filters and monitors HTTP traffic between the application and the internet, is a good idea for most of them.

Managed services provider (MSP) and a value-added reseller (VAR) new to selling WAFs, however, likely have questions about the potential to grow your business by expanding your portfolio to include these solutions.

Weighing in with answers to the following six questions are industry experts:

  • Chris Crellin, Senior Director of Product Management, Barracuda MSP
  • Pankaj Gupta, Senior Director, Product Marketing, Citrix Systems
  • Patrick Sullivan, CTO, Security Strategy, Akamai

1Have my customers even heard of web application firewalls?

Sullivan says, “Businesses are familiar with WAFs, but not as familiar as they will be in the near future as a confluence of trends will draw more attention to this space.”

He says Gartner estimates WAF adoption for public applications will grow from about 15 percent in 2020 to 30 percent by 2023. “At the same time, the number of web applications and APIs grows rapidly,” he says.

He points out that regulated businesses and organizations, such as financial institutions and retailers that must comply with PCI DSS and healthcare organizations that must comply with HIPAA, have been the most likely to deploy WAFs. “Over time, WAF adoption has expanded well beyond regulated industries,” he says.

Crellin comments, however, “Some of the more tech-savvy businesses may be familiar, but the typical SMB that doesn’t focus on IT often isn’t familiar with WAFs. This can be attributed to a general lack of understanding of the potential vulnerabilities that come with running web applications.”

“MSPs can play an important role in educating SMBs on the value that WAFs can bring to their businesses and help them in making WAF purchasing decisions,” Crellin says.

2How do I convince my customers they need WAFs?

Crellin says an effective approach is to ask the business how critical web applications are to their operations and what kind of data they use with those applications. “These days, especially over the past year with remote work becoming so prevalent, web applications have become an absolutely critical part of most business’ operations,” Crellin comments.

Then, be prepared to explain how your clients’ web applications can be vulnerable and the consequences of an attack, which can range from downtime to significant data loss.

Sullivan says, “Not only do we consider seeing high-profile vulnerabilities in web applications and their frameworks emerge, but statistically, the web application is a favorite target for attackers.”

The 2020 Verizon Data Breach Investigations Report (DBIR) revealed that web applications were the number one hacking vector, with 43 percent of breaches in the report on web applications, double the rate from the previous investigation.

Gupta adds that as application architectures evolve to microservices and serverless environments, it increases the attack surface for applications. “It is critical that companies defend against potential threats to keep their business and data safe,” he says.

3What’s the value to the end user?

Sullivan, Gupta, and Crellin list a range of benefits that you can share with your prospects, including:

  • Protection from known and unknown attacks
  • Insights that enable faster remediation following a security incident
  • Increased uptime
  • Reliable application performance in multi-cloud environments
  • Business continuity
  • Peace of mind that their data and businesses are protected from malicious activity

4How can you choose a WAF vendor partner that will increase the chances of an MSP or VAR’s success?

Industry experts agree that the performance of the vendor’s solution is vital. For example, vet solutions for how effective they are in protecting against malicious files or bots. “These attacks in particular, have grown increasingly sophisticated, and it’s important that the WAF vendor uses the latest technology available to keep up with those threats,” says Crellin.

Sullivan adds that the WAF should be agile enough to address moving between corporate data centers and various cloud options. “Furthermore, WAFs should accommodate the need for development teams to make changes without being slowed down by WAF tuning cycles,” he says. “To accomplish this, the WAF should integrate into the DevOps workflow and leverage automation to ease the burden of application security teams by integrating protections from fresh vulnerabilities.”

“Finally, Sullivan says, “web application protections are really becoming all about protecting APIs, as APIs become the dominant way web applications are accessed.”

Gupta agrees: “We live in an application and API economy. Companies recognize the need to protect these critical assets that make their business go and are investing in WAFs to help them do it. “

Crellin adds that you should also consider how easy the WAF is for your team to manage. “It should be easy to deploy and manage, particularly if the MSP is going to be leveraging it for many customers,” he says

5What is the outlook for the WAF market?

Mordor Intelligence has projected that the WAF market will grow at a rate of 16.93 percent through 2026.

Sullivan says those projections align with his observations. “Web applications continue to gain in importance every year – it’s now possible to be highly productive simply leveraging a Chromebook and a web browser. The pandemic and the resulting work from home orders only served to accelerate this trend by several years. Many companies, even traditional brick-and-mortar businesses, depended on their customer-facing web applications and APIs as their primary means of interacting with customers. That adoption of web applications as a primary interface with customers is likely to persist well after the pandemic subsides,” he says. “Unfortunately, it is likely that the attackers’ focus on these apps will likely persist as well.”

Crellin agrees. “Now more than ever, business is conducted over the web in one way or another. At the same time, the threats against web applications continue to grow both in number and sophistication, especially with the proliferation of bots which now account for more than half of all Internet traffic. The convergence of those two factors means the need for WAFs will only become more important going forward,” he says. “The opportunity is there for VARs and MSPs to provide and manage those tools as a critical part of end customers’ cybersecurity infrastructure. “

Gupta comments, “The CAGR for the WAF market is in double digits and presents a huge opportunity for MSPs and VARs to grow their revenue.”

6What are the most important things for MSPs or VARs selling WAF in 2021 to remember?

Gupta boils the answer down to three important points:

  1. Be sure to go in with a clear understanding of the customers’ existing application environment, security posture and gaps that may exist and how a WAF and API security solution might fit in.
  2. Don’t focus on selling just a WAF solution. Instead, offer a holistic application and API security solution.
  3. Recognize that operational and policy consistency is a big concern for security teams these days and clearly demonstrate how WAF solutions can deliver consistent protection across three-tier web and new microservices-based applications in a unified way.

This means playing up features such as a single pane of glass to easily manage things across whole hybrid multi-cloud deployments and security analytics that provide the visibility needed quickly troubleshoot problems and detect and mitigate compliance issues. It also means selling consultative deployment services to ensure adoption and success

Crellin adds, “WAFs are a critical component in protecting end customers. While much attention is spent on email security and firewalls, web applications can present an attractive and exposed attack surface for hackers to exploit. VARs and MSPs need to make it clear to their customers the damage that can be done and how easy it can be done without a WAF in place to protect them.”

Sullivan also says to keep the big picture in mind. “There is opportunity to help organizations protect web applications and offer human expert or machine learning assistance in properly discovering unprotected websites and APIs and properly configuring protections,” he points out. “There continues to be a severe shortage of available application security expertise, so there will be ample opportunities for MSPs to help with not only technology but also value-added consulting services.”