What’s wrong with the use of a WAF (Web Application Firewall)?
My SaaS company recently lost the bid for an enterprise software licensing deal.
One of the reasons the prospect gave for not choosing us as a vendor was:
the use of a WAF
I'm not an information security specialist, so I'm confused as to why the use of a WAF (Web Application Firewall) could be seen as a potential security vulnerability.
Is it best to avoid using a WAF? Could they be concerned because the use of a WAF suggests inadequate protection? Is their concern legitimate?
The full quote[^1] is as follows.
Technical Integration –
$PROSPECTis a multi-national subsidiary of an industry leader in$INDUSTRY, which brings with it a lot of cyber security risks. This means our technical security standards are high, so$TECH_DUE_DILIGENCE_PROVIDERraised concerns about the implications of$REASON_1, the use of a WAF, and$REASON_2. Although in isolation these issues may seem minor, the cumulative risk and potential exposure was difficult to overlook – which ultimately led to$VENDORbeing classed as a ‘high risk vendor' by IT.
[1^]: irrelevant or sensitive information redacted; emphasis mine.
