[tptacek]

I don't think WAFs are worth the maintenance headache. I help manage a pentesting firm. Once in a blue moon, we'll get a target with a WAF installed that can't be disabled for the test, and it's never more than a speed-bump. Generally: I wouldn't bother.

If you're going to do something WAF-y, my recommendation would be modsecurity.

[dsingh]

Since ours is a business SaaS application that will be utilized by other companies, I believe there may also be commercial benefits of having a WAF. Eventually, we may need to do a formal security audit and penetration testing but it seems to me it would help to tell customers that we are using a WAF as part of our infrastructure. Is that possible?

[kjs3]

Not that a WAF is some sort of magic bullet, and it does require significant investment to properly configure and run, but wow am I ever tired of hearing this. Yeah, the pentest guys (multiple firms) we retain always whip their cock out and tell us how easy it is for them to beat the WAF, that it only stops script kiddies, how we should spend more money on what their selling, etc. Then I compare our internal risk assessment with their pen-test results and find they don't find nearly all of the issues we know exist, and can only exploit a fraction. We usually get a claim of total victory supported by some line about "if we had more time, we'd certainly be able to exploit this issue" or "determining the complete exploit for this issue is outside the scope of this engagement". Sure thing, sport. The only time they really rendered the WAF ineffective is when we give them so much non-public information that if an attacker had it, we'd have much, much bigger problems.