WAF vs. Application Layer for Bot Mitigation
In a layered enterprise security architecture with a Web Application Firewall (WAF) deployed in the DMZ, should there be shared responsibility between the WAF and application layer/ microservices for mitigations the WAF supports, specifically for mitigations against Bots?
While one can argue defense-in-depth mandates application-level hardening, relying on application developers who typically develop business logic to write something for bot mitigation (which requires expertise beyond app dev) can be impractical and introduce overhead.
If the WAF offers bot defense as a built-in feature, should the application layer also implement bot mitigation techniques like fingerprinting? What are the best practices and guidelines for allocating responsibility for mitigating threats between WAF vs application?
