
Ask HN: Are Web Application Firewalls Necessary? - ripberge
I am operating cloud based SaSS and finding it very difficult to find a good solution that works well with many custom domain names, SSL, etc. I already have SQL injection protection. Do these solutions offer enough security to offset the hassle, potential performance degradation and an additional point of failure they introduce?
======
dangerface
In my opinion WAF is security through obscurity, its worse than useless as it
adds extra latency and complexity to your app, along with giving you a false
sense of security.

Most of them are just a ruleset of common basic SQL injections that it hopes
to detect and block. If it even actually works the attacker just changes a few
characters and easily gets past the block.

You are better fuzzing, using the ruleset to test your code in development
detect the SQL injections and fix them. Now your code is secure, there is no
extra setup, there is no extra latency, there is no extra complexity, there is
no way around this security, its secure security.

------
moviuro
Fix your SQLi problems. In-depth defense, etc.

You might protect your web-facing service, but what about someone already
inside your network (RAT)?

WAFs are an additional measure, that you probably can't deploy between each
pair of machines that communicate together. Have someone perform a pentest,
see how bad it is. Also, they're expensive, more so than a check for weird
chars in a comment field.

------
ecesena
CSP is a good investment. My colleague gave a talk at BSidesSF with (I think)
good recommendations on how to enforce better CSP in practice:
[https://youtu.be/MNT0O94FYTg](https://youtu.be/MNT0O94FYTg)

------
0x01030307
If your application is coded securely, it should be able to withstand most of
what a waf can do. The problem is companies have a false sense of reality by
and large: thinking their application is secure, when really its just waiting
to be hacked.

