Jeremiah argues two points in favor on WAFs:
- The reality is software has bugs and hence will have vulnerabilities.
- Modern development frameworks like ASP.NET, J2EE and others have demonstrated big gains in software quality, but what about the vast majority of the world’s 100+ million websites already riddled with vulnerabilities? Is anyone actually claiming we should go back and fix all that code?
The whole point of a WAF is that someone has to deploy one in front of their application, configure it appropriately, etc. The majority of WAFs aren't deployed at service providers that service end-user websites written in PHP. Even inexpensive solutions like mod_security require lots of configuration, installation, etc. So, using them to fix the vast majority of websites isn't going to help us much.
On point #1 I hear this argued a lot. I guess I'm yet to be convinced. We know a lot more about writing safer software now than we used to. We have much better frameworks than we used to. We know ways to write relatively secure software, we just choose not to.
We didn't use to know how to build reasonably safe cars. We didn't always know how to build safe bridges, steam engines, etc. We do now, for some definition of safety.
What we're lacking is the motivation either from a liability or responsibility perspective. Until we have those structures in place and people forcing us to improve our software quality and security, we won't.
Its just that simple. Putting more semi-effective crutches in place isn't actually going to make us safer.