Web app firewalls have the right idea - protect apps in production from attacks, but the execution is all wrong. It bogs down Security Teams with false alarms. We need to rethink how we approach application security. It's more than just a firewall and easier than perfect coding. It's time for the application to protect itself.