The lifecycle for CDN features are short lived. A new feature might be key differentiator, that helps in winning business against the competition, but it only last for a while. The CDN feature lifecycle is 2 years max. CDNs must be innovative and introduce features regularly. It’s a rat-race to win over customers. Many well know CDNs have become masters at feature innovation, with robust product roadmaps.
WAF requires a much higher investment of resources than DDoS mitigation. For starters, all CDNs offer some form of DDoS protection from network level attacks. By their very nature, CDN infrastructure is highly redundant. If a DDoS attack takes down 1 or 2 locations, the CDN has another 20+ locations to serve content from. CDNs are equipped to handle a massive amount of traffic surges. Even a 100Gbps attack, is unlikely to cause any serious disruption to a CDN. Plus, the routers used by CDNs, are feature-packed with DDoS protection mechanisms, whether it is a Brocade (Foundry) or Juniper.
WAF on the other hand, requires CDNs to create rule sets, test extensively, and work through the hiccups of the service. False positives are a big problem in the WAF world. ModSecurity, the open source WAF, comes with rule sets. However, a CDN will have to create their own custom rule sets to work in their environment. Akamai is a leader in CDN Cloud Security. They offer DDoS protection, WAF, and much more now, with the acquisition of Prolexic. CDNs are going to need to ramp up their roadmap, to offer more security features, in order to compete against Akamai.