To clarify our product, hyperguard can black, white and gray-list data, including HTML and SOAP, XML or JSON which are used by products like Silverlight, Flash and AJAX-based frameworks. It also has proactive security features to protect the architectural layer of applications, like broken authentication, session management or data leakage through URLs and other parameters. These are really important problems that typically take a long time to patch and fix at the developer level.

I also agree with @atdre’s comments about secure development from scratch, however, he should be well aware of the fact that currently 80% of all attacks target web applications because they haven’t been developed this way. Further, the IBM X-FORCE report in 2009 highlighted that a shocking 75% of all web application vulnerabilities took more than a year to fix.

@atdre is speaking about a perfect world – we are not in a perfect world. Defense in depth and 'security as a process' will take root in companies over time (I hope!), which should include a variety of tools and best practices such as source code reviews (tool-based and by hand), peer reviews, a WAF and external/internal audits.

Unfortunately, rarely do companies have a secure development lifecycle, regular code or peer reviews, penetration tests, proper tools or a static source code checks in place in order to develop the perfectly secure application. For these web applications, a blacklist approach can be a good start while the company has time to implement a whole cycle of steps towards securing the application.

Further, companies are deploying 3rd party applications quite frequently that compound this issue. I may be able to securely develop my own web applications, but I have little control over the development processes of my vendors. A comprehensive WAF is a good first line of defense.

For companies who don’t have the expertise that @atdre speaks of, GoGrid and art of defence are able to provide very good web application security, at the application itself, through a cloud model. A perfect world is a worthy goal to reach for and until we get there, companies should look at how a WAF can help.

There are many organizations that have not adopted this strategy or similar because they have seen it fail. Please reconsider what you are doing. It may lead to unhappy customers, who are sold something that they get zero value from.

Every application security expert I've ever talked to has concluded that a blacklist approach to application security works significantly less well than blacklist applied to anti-virus or firewall.

As a replacement to whitelist input valdiation (or as monitoring), web application firewalls continue to provide less value than building these into the application themselves, via normal coding methods or perhaps even an aspect-oriented point-cut architecture. Logging directly from the application can add a significant amount of context, and it can be centralized along with other security measures. Data valdation, while still very important today, is much less important than properly parameterizing data queries with proper variable binding and use of SQL clauses/statements. Data valdiation is also much less important than proper canonicalization and use of output encoding. However, data valdiation is still very important, and it works best when used in abstraction layers that control and define the validation relationships directly to the data (something that only an application can do).

Web application firewalls also suffer in many multi-tier architectures, especially in modern application that contain integration tiers. A WAF can only monitor/protect a minimum amount of attacks the client-to-presentation-tier. It cannot monitor/protect the formatting tier, the behavior tier, the data tiers, the integration tiers, etc. Does a WAF protect or monitor attacks against Ajax, Flash, or Silverlight?

I urge you to not promote products that only work as a blacklist at the HTTP or TLS layer. Further, if a WAF intercepts TLS, this could be a severe violation against many compliance standards (especially in the way that the WAF handles the sensitive data, including session management keys, cookies, et al).