This tweet discusses the role of Web Application Firewalls (WAFs) in prioritizing code-level vulnerability fixes for finance customers. It highlights that some organizations use WAFs as part of their decision-making process to decide which vulnerabilities to fix first. The author suggests that if bug hunters were primarily focused on bypassing WAFs, then the default protections offered by WAFs might already provide some level of defense. However, if the threat involves custom logic bypasses, then relying solely on default WAF protections may not be enough, and timely action is necessary. This indicates the importance of understanding both default and custom WAF rules in effective vulnerability management and protection.
For more insights, check out the original tweet here: https://twitter.com/ryancbarnett/status/2027405720182788209