Gartner Blog Network

WAFS: It’s The Buying Center, Silly

by Greg Young  |  August 12, 2010  |  2 Comments

Web Application Firewalls (WAF)
Paraphrasing James Carville’s quote about the economy, WAFs are not ubiquitous because of the fragmented buying centers for them, silly, rather than any confusion over over the market name or concerns over false positives.

WAFs are a high value safeguard for custom applications, but are held back because so many groups are potentially involved in the operation and buying of applications.  Data center ops, server ops, appdev, application owners, security, network ops…  Unlike other products like IPS which have usually two buying centers, there is a wide spread to which roles are involved in WAF.  There will be some reduction in the number of buying centers, but as long as custom web applications are housed and delivered in this complex manner, don’t expect organizations to change to accommodate the safeguard.

And a moment of zen is me with James Carville.


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Greg Young
Research VP
6 years at Gartner
22 years IT security

Greg Young is a research vice president in Gartner and the lead analyst for network security. Mr. Young has experience in IT security in product companies, and in both the private and public sectors. He spent his military career in technology security… Read Full Bio

Thoughts on WAFS: It’s The Buying Center, Silly

  1. Jack Daniel says:

    I don’t doubt this at all- but it is pretty depressing if the silos are still so isolated (and individually powerful) that something like WAF technology is not being deployed because of failed (or nonexistent) internal communications.

  2. Greg Young says:

    Hey Jack –
    There are a few security techs that do go against the buying center grain and make adoption awkward. These are mostly ones that try and cross the host-network security divide, especially techs that block rather than gather/correlate/detect/notify,

    Most techs align nicely with orgs, or are non-blocking techs that can more easily cross organizational lines.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.