Let's start with the Acunetix blog. The basic argument is this: WAFs are being used as a band aid that substitutes for a more comprehensive approach that primarily consists of vulnerability scanning (note that Acunetix is a vulnerability scanner). Two points:
- A truly comprehensive appsec program, though necessary, is neither easy or nor always an option. We profiled an attack against a temporary website, for example, that had little time to develop a secure website. And the WAF proved to be a very effective defense. Just because someone uses a WAF doesn't mean they're being lazy--there are very tangible pragmatics factors driving the decision. For this reason, one CISO echoed what I've heard in many places, "A WAF should be the first and last line of defense."
- Not all WAFs are created equal, and we detailed why here. The market for WAFs is very broad and large, so making generalizations about WAFs is tricky.
Noa’s column makes a comprehensive case to help WAFs integrate into SDLCs effectively.