If a WAF is insecure — then it adds to the insecurity of the network more than it subtracts from it. This hurts the “defense in depth” architecture and it weakens the system/infrastructure as a whole. Thus, it is bad.

If there are some benefits to WAF’s some of the time, then we should be specific about when those events are. Let’s identify them. I can’t think of any situations where this universally applies. However, the rest of the industry analysts and popular theory is that WAF’s (or VA+WAF) are magical beans. I am simply trying to dispel that theory, based on my own experiences and observations.

If you have a story where you know WAF works, let’s hear it. Yet, everyday, I hear about websites in the news — websites that utilize WAF technology — and they are vulnerable to various SQLi and XSS attacks. SQLi and XSS are some of the only web application vulnerabilities that WAF is supposed to protect against. If WAF’s can’t even protect against these, how are they ever going to be able to protect against business logic flaws, vulnerabilities in session management, cryptographic storage, or the hundreds of other common flaws in web applications?

What is the value? How are they showing value? Why is it assumed that they are valuable? My strawman presupposition is that they universally hurt more than they help. Am I wrong? In what way?

After this dust is settled, there is still the question of what works better: process improvements with a secure SDLC, or VA+WAF? I’ve thought very hard about this one, and I still see secure SDLC coming out very far ahead — even in the short-term. What would it take to prove this?