That’s a good post about the inherent conflict between devops and security. I like his points and I think the most relevant item is automation. WAF policies should be one of the core requirements during the development process and similar to identifying everything else. Ideally, it would almost be a unit test during the workflow between qa/dev/staging/prod.