1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.
2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.
3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.
If your security strategy relies on one or two security controls, you're doomed most of the time.
We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong).
The company I work at has many PCI compliant systems. I asked a security officer why they were still doing certain things the old way. He explained they very well know it’s the old way but in order to be compliant they must do it.
Where I work Compliance and Security are completely different departments. This is great because the Security department does whatever they think is best for security, regardless of compliance requirements.
The Compliance department has one job: passing audits. They never tell Security what to do; they document "compensating controls" and if that's not good enough for an Auditor the Compliance department will run whatever worthless compliance control themselves.
I'm not saying security compliance itself is a joke. It forces small businesses to at least try to get their shit together. But for big tech companies with real security programs, security compliance is a worthless tax.
It's not about old vs new, it's about strong vs weak. WAF was too weak to be your primary line of defense against SQL injection when it was first popularized and it's still too weak now.
That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate
1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.
2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.
3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.
[1] https://www.akadia.com/services/dyn_modify_where_clause.html
[2] Like linq, jOOQ...