When you say that I’m “very set on the idea that WAF (with proper blacklists) or VA+WAF (to manage the blacklists) are fair enough temporary solutions until organizations can implement secure coding” I guess that is in some way true, but misses my point.

What I’m trying to say, perhaps badly, is that WAFs are not totally worthless – there is some benefit in them, which mostly seems to be ignored. Sure, they are no silver bullet, but neither are they a box/plugin that does nothing – it’s all in the way they they are used/operated. I don’t believe that it’s a zero-sum game. Are there issues with them – totally – but they are new(ish) technology, and are inevitably going to go through growing pains just as all software does. I don’t have any any investment either sides of the argument, so I guess I would like to see how this plays out over time and would hate to see a technique/technology simply dismissed because it it’s perfect “out the gate”.

This is just from a researcher/technologist point of view though – if I were an IT guy/CISO/etc, I probably would have a different viewpoint.

I whole-heartedly agree that it’s much better to do validation, etc, closer (within) the code – there’s much better “context” to know what to do. Programmers are human though, and will make mistakes/omissions – we therefore need a way to help protect these holes after-the-fact. Be that dynamic patching, technology like WAFs, or “something else”, for me the jury is still out but the need is still there.