I am operating cloud based SaSS and finding it very difficult to find a good solution that works well with many custom domain names, SSL, etc. I already have SQL injection protection. Do these solutions offer enough security to offset the hassle, potential performance degradation and an additional point of failure they introduce?
In my opinion WAF is security through obscurity, its worse than useless as it adds extra latency and complexity to your app, along with giving you a false sense of security.<p>Most of them are just a ruleset of common basic SQL injections that it hopes to detect and block. If it even actually works the attacker just changes a few characters and easily gets past the block.<p>You are better fuzzing, using the ruleset to test your code in development detect the SQL injections and fix them. Now your code is secure, there is no extra setup, there is no extra latency, there is no extra complexity, there is no way around this security, its secure security.
Fix your SQLi problems. In-depth defense, etc.<p>You might protect your web-facing service, but what about someone already inside your network (RAT)?<p>WAFs are an additional measure, that you probably can't deploy between each pair of machines that communicate together. Have someone perform a pentest, see how bad it is. Also, they're expensive, more so than a check for weird chars in a comment field.
CSP is a good investment. My colleague gave a talk at BSidesSF with (I think) good recommendations on how to enforce better CSP in practice: <a href="https://youtu.be/MNT0O94FYTg" rel="nofollow">https://youtu.be/MNT0O94FYTg</a>
If your application is coded securely, it should be able to withstand most of what a waf can do. The problem is companies have a false sense of reality by and large: thinking their application is secure, when really its just waiting to be hacked.