[1nd1ansumm3r]

Nicely written and the author clearly has more experience than myself. I did, however, get hit with a data breach via SQL injection, and everyone I spoke to (not vendors or sales folks) seemed to agree that a WAF would have blocked the attack outright.

[jiggawatts]

Parameterised SQL queries would have blocked it outright also.

Parameterised queries however don’t need an annual fee and a team of security engineers to babysit it.

[1nd1ansumm3r]

Sometimes one has to host an application and has no control over the details of how that application is developed or configured related to parameterized SQL queries.

[threeseed]

WAF don't require a team of security engineers to babysit.

Cloudflare, AWS, GCP etc offerings are basically just one click and for smaller sites will be free.

And over the years there have been many security flaws in how SQL libraries actually handle parameterisation.

[jiggawatts]

That "one click" instantly broke every single application I've seen it applied to.

Eliminating false positives is a significant effort.

[MattPalmer1086]

Yep. If your developers actually use them consistently all the time. There's always someone who can't resist a bit of string concatenation...

[jiggawatts]

This is what code reviews are for.

[MattPalmer1086]

Yes, those are needed too. And static analysis and dynamic analysis, etc.

Despite all of that we just found a SQL injection that existed for years somehow. Luckily the WAF blocked attempts to exploit it until we could issue a fix.

Defence in depth is the win here.