[aventrix]

Disagree. This just reinforces the point that best security is multi-layered.

[tptacek]

That's an apology every crappy security add-on has always made. We shouldn't be happy about applying layer after layer of faulty controls, let alone applauding that as some kind of defense-in-depth best practice.

[nullwasamistake]

WAF are basically all HTTP proxies. If you app has a non-broken HTTP implementation they're useless.

[sytringy05]

yup, WAFs, IDS and IPS prevent protocol abuse. Everything else is the development teams problem