The web application firewall (WAF) is dead, they say, and DevOps is the culprit. But the fact is that WAF isn’t dead at all, nor is it likely to be anytime soon. You can only get rid of WAF if you fully implement security into your development process and audit the process via code reviews and annual tests. WAFs are specific to each application and, therefore, require different protections. In an enterprise environment, it’s not unusual for a company to be running old apps in which code is no longer maintained.
Source: https://www.helpnetsecurity.com/2021/05/14/waf-dead/