It is becoming more and more common for companies to weigh WAFs vs. secure coding options as they try to determine the best way to protect their web applications. After talking to many developers, one thing I've learned is that many coders are not fully aware of the risks that come with secure coding. And, on a related note, many companies are not fully aware of all the costs that come with secure coding.
Let's be honest, most of the pro coders already know about SQL Injection and the risks it brings to the table. And most of them already knew about how to write better code in order to try and avoid that hole. However, when it comes to attacks such as XSS, Forceful Browsing, and Cookie Attacks, they are much less certain how to write the code needed to block those threats (which in most cases is not even an option).
And this is what usually happens when new threats appear. With new vulnerabilities and new hacking techniques being developed all the time, you cannot expect a developer to go through seminars and security coding training all the time. And this is what you have application security vendors for...
In reality, no one writes 100% correct code. So when I hear that a company is concerned about the cost of a 3rd party WAF solution, I'm always a bit surprised. How much will it cost for a full team of developers working on 6 months of code repairs? And that's just some of the cost that comes with the secure coding option because the application will continue to change, new (and un-trained) staff will be hired and some of the old staff will leave. So the cost of secure coding never really ends...
Companies are rightly concerned about the cost of a WAF solution, when it comes to bang for the buck. just as an example, prudent application of mod_rewrite with some scripting can provide a URL obfuscation feature, which will significantly damper forceful browsing. similar library/middleware measures also decrease attacks (urlscan et al). the barrier for a small business to avoid being the 'low-hanging fruit' is to scale smaller than investing in a WAF, even a cheap offering like SecureSphere SE.
not to mention the training and support required for a small business to implement a WAF...
no one writes 100% correct code. but some rectify the situation cheaper than others.