[kjs3]

Not that a WAF is some sort of magic bullet, and it does require significant investment to properly configure and run, but wow am I ever tired of hearing this. Yeah, the pentest guys (multiple firms) we retain always whip their cock out and tell us how easy it is for them to beat the WAF, that it only stops script kiddies, how we should spend more money on what their selling, etc. Then I compare our internal risk assessment with their pen-test results and find they don't find nearly all of the issues we know exist, and can only exploit a fraction. We usually get a claim of total victory supported by some line about "if we had more time, we'd certainly be able to exploit this issue" or "determining the complete exploit for this issue is outside the scope of this engagement". Sure thing, sport. The only time they really rendered the WAF ineffective is when we give them so much non-public information that if an attacker had it, we'd have much, much bigger problems.