In trying to advocate for the implementation of software development security best practices, I've hit a roadblock: The top development manager says that because we have a Web application firewall (WAF) in place, it'll serve as a catch-all against any Web app security flaws our developers fail to catch. Can you help give me some good counterarguments as to why we shouldn't simply rely on the WAF to protect us from bad coding practices?