The other half asks "May I please have some more (application security)."
Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you". In hindsight that conclusion was flawed for two reasons: First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them? By the same token, what if you don't trust a 3rd party to update your rules for you? Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves. Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested. Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?