The original post: /r/cybersecurity by /u/HMKMusic on 2024-11-21 18:39:28.

Hello fellow cybersecurity professionals,

I’m currently working as the new security team lead for a mid-sized company. I’ve been given a rare opportunity—a “blank check,” both in terms of budget and vendor choice, to select the best WAF for our organization. While I have a clear list of objectives and protections I want to achieve with the WAF, I find myself facing an unexpected challenge: with such broad flexibility and basic needs, nearly every product on the market—from established enterprise-level solutions to newer startups—fits within my budget and meets my requirements.

To address this, I’m trying to approach the problem from a different angle. While everything appears great on the surface (especially during sales discussions), I want to anticipate potential challenges and shortcomings. Specifically, I’m curious about the pain points or limitations you’ve encountered with the current WAF products in the market. Additionally, what features do you feel are missing—things you wish your WAF could do but aren’t offered by any vendor?

Here are some concerns I’ve thought about so far:

  • Complexity and Customization: How flexible are the rules? Is it easy to customize them, or do they feel rigid and limiting?
  • User Interface/Experience: Is the UI intuitive and user-friendly, or does it require a steep learning curve?
  • Multi-Environment Management: Can it handle insights across multiple environments and allow sharing with less technical teams?
  • Detection Accuracy: While many vendors boast strong HTTP/S protection and AI-driven anomaly detection, I wonder how accurate these solutions are, especially for niche traffic types. Are there issues with detecting or handling specific use cases?
  • Industry-Specific Features: Does the WAF adapt to the unique needs of industries like healthcare or fintech, where traffic patterns may differ significantly?

For context, I’m considering a cloud-based WAF that will handle a few million requests per month, including web apps, API calls, and mobile traffic.

That’s where I stand right now. I’d love to hear from all of you:

  1. What other potential pain points or limitations should I keep in mind when selecting a WAF?
  2. Do you have any unbiased recommendations for WAF solutions that have worked well for your organization?

Looking forward to hearing your thoughts and insights—thanks in advance for sharing your experiences! 😊