Let's think of the security infrastructure of your application as its doctor. Let's say you have a cough, sore throat and runny nose and if the doctor assesses external symptoms, then the doctor will prescribe the wrong medicines as he has not done internal test to know what is happening inside the body. This same thing can happen to your application, allowing attacks on account information. A Web Application Firewall (WAF) cannot see what is happening inside the application and that is why it uses "Signature" to determine if the code in the request is threatening. So, the best way to protect your application from vulnerabilities is to combine both external observations and internal tests. Read more at: http://www.business2community.com/cybersecurity/signature-based-security-first-step-01773479#qAVrXsrP3ape3Hb5.97