Web Application Firewalls, DDoS and Botnet Protection: Lessons Learned from Procurement Projects

Web application firewalls (WAFs), also called web application gateways or application/API protection products (WAAPs), are ideal for protecting your own offerings that are accessible from the Internet (such as self-hosted web servers or e-commerce offerings). They are designed to protect against common attack paths such as code injection, cross site scripting, other OWASP security risks or, for example, the exploitation of vulnerabilities in common software libraries on web servers (e.g., Apache misconfigurations). In addition, there are often functions to prevent or mitigate (Distributed) Denial of Service (DDoS) attacks or the tapping of sensitive data (e.g., prices) via bots/crawlers.

WAF and/or DDoS solution provider

When reviewing solutions and research summary reports, it becomes clear that basic technical features such as filtering options according to source/destination IP addresses, user-defined geo-locations and known attack patterns (via connection of threat intelligence feeds) or throttling of transmission rates are no longer differentiating factors. It is also clear that not all criteria (such as access to non-customer offerings) are relevant to all enterprises. In addition, a general overview obviously cannot address the price/performance ratio of actual offerings.

Some of the WAF and DDoS providers offer Content/Application Delivery Network (CDN/ADN) services, to reduce transmission times and thus optimize the performance of websites from the user’s point of view. Depending on the customer situation, it therefore makes sense to combine the security functions with these or to purchase them separately.

Typical requirements in tenders and bid comparisons

  • Implementation of the solution: As SaaS, on prem or own hardware appliance? With or without managed service for maintenance and ongoing operation?
  • How extensive is the protection against the OWASP / Automated Threats to Web Applications attacks (best to query against the current top ten lists)?
  • What kind of attacks can APIs be protected against with the solution (Again: All OWASP API Top Ten?), and how is the automated detection of APIs and generation of import definitions done? Are only REST APIs protected, or also e.g., SOAP and WebSocket?
  • How is the breaking of encrypted (TLS) traffic done? How is (temporarily) unencrypted data protected, and is this done in a DSGVO-compliant manner?
  • How quickly are “virtual patches” automatically incorporated into the rule set after critical vulnerabilities become known (e.g., using Log4j as an example)?
  • Can credential stuffing / account takeover attacks be detected (e.g., via comparison with known compromised passwords)?
  • How user-friendly can customer-specific rules be defined via the GUI /CLI? In addition, are individualized block/error pages possible to be displayed to users, also with query of CAPTCHA or similar bot defenses in case of ambiguous filter results?
  • Is there a logging/debugging mode where the effects of changed rules can be tested first?
  • Does the vendor offer a test period / PoC in which the filtering (“false positives/negatives”) can be tested?
  • What are the integration options with existing SIEM systems, AD/LDAP, other IAM solutions or RADIUS?
  • Are additional functions such as Data Leakage Protection (DLP) required, which can be mapped via DNS and data filtering? Do you have to create your own rule sets for this, is this done preconfigured, or via baselining (training period)? Some manufacturers offer CIEM (Cloud Infrastructure Entitlement Management) as an additional function, which can generally be used to restrict access to cloud solutions on a user-specific basis.
  • How is the protection of containers carried out – can WAF instances be used in container managers or via a service mesh?
  • Does the solution offer a PKI with which client certificates can be generated? This is particularly interesting for mobile applications and IoT devices.
  • Price/performance: what are realistic costs over a 3-5 year period? License costs often depend on the number of (sub)domains, certificates, web page views and data volume (“clean” or after “scrubbing”). In addition, there is the setup and, if applicable, premium support. However, packages with DDoS protection are available from some providers at no extra cost.
  • Commitment of the provider also for smaller customers: A good impression can usually be gained in the initiation phase of the project via feedback on questions and the focus in demo appointments.


As with all security projects, it is worthwhile to outline the requirements as clearly as possible at the beginning to separate must-have criteria from unnecessary options or scopes. Many of the features touted as unique in marketing are in fact already state of the art. The high number of good solutions, each with numerous customer references, shows that customers can request a broad selection of providers and achieve an optimal price/performance ratio through a structured comparison. Purchasing consultancies specializing in cybersecurity can assist with all these steps.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.