http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is/
http://www.tssci-security.com/archives/2008/06/23/web-application-firewalls-a-slight-change-of-heart/
http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/
http://www.tssci-security.com/archives/2008/06/25/week-of-war-on-wafs-day-2-a-look-at-the-past/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-3-language-specific/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-4-closer-to-the-code/
http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
**As always on the TS/SCI blog, the comments is where the "real hotness" is and you should make sure you read them with each post.
Also check out this thread on Jeremiah Grossman's blog:
http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html
While I don't always agree with Dre, I have to admit that before I would drop $110k + yearly maintenance, I might have to crunch the numbers to see how much it would cost me for a real thorough web application code rewrite/review/& pentest before you get stuck with yet another appliance in the rack that you have to pay money for every year and I have to pay someone to run.
I'm not a SDLC guy but are we really to the point that we CANT write a secure web application for any amount of money? I would hope that isnt the case.
Read the posts. Dre and Marcin put it better than I ever will.