[ben509]

You have to understand the human element. In any big organization, you have many teams with varying security practices working on systems.

It's simply impossible to consistently recruit developers with good security knowledge, especially if we want, as an industry, to take responsibility for getting new developers up the first few rungs of the ladder.

And you do need a mechanism that can provide defense for legacy applications, or to quickly mitigate 0-days.

As long as we can't guarantee that developers won't screw up, we need tools for cyber-security to mitigate these attacks. WAFs and other layered security devices do fill that need.

However!

Any layered security device must be bypassable. Your WAF is probably configured by the same people who make the automated security tests your pen-testers run.

If your pen-testers aren't bypassing layered security and attacking your application directly, then you're not really doing layered security anymore. Your WAF's security becomes snake oil, and your application's security is untested.