Most large companies have too many developers and too many teams to expect/assume that each team will do the right thing for security when putting something in production on the public Internet.
Why? Because most software developers are bad at security (I said most not all).
So yes do all the things at the bottom of this article! Teach security-by-design to all your teams. Make sure they know what OWASP is at least. Make sure you test all the things. Either own or rent red teams.
But if you're a big enough company, you probably also need something centralized like a WAF, because you want defense in depth.
WAFs are far from perfect, but in my experience they are better than not having one in 2023.
This is my personal opinion but any developer building software that runs on the public Internet should not need to be incentivized to care about security.
Let me rephrase: software development (the action of engineers and the whole process in general) is actively insensitvised to not care about security.
The consequences of poor security are often way, way lower than the costs of doing it properly. Add on to that, that security problems are contingent risks that only "pay out" in a small number of cases and you have a recipe for low expected value for investment into security.
Software engineers often want to develop a secure product, but they don't know what they don't know, and their employer is not interested in investment in their security capabilities, both the companies security capabilities and the capabilities of their employees.
So, I guess I hear you on this, although I think it's a generalization..
There's certainly a trope among developers that "the business" doesn't give us time to do work properly, including security.. and that's it's just "ship features fast"..
My take on this is that it's on us, as professional developers and particularly technical leaders, to force that issue and advocate for better practices.
I've advocated for better technical practices at several jobs I've been at, and in many cases there was no intentional desire to incentivize bad practices, it was simply that the leaders weren't aware of all the requirements, and of the consequences of cutting too many corners.
When framed in the context of business value and risk, it's not as hard as you think to introduce better standards to most software development teams. Smart leaders are open to listening and changing if it means better outcomes.
That said, if your technical leadership isn't interested in supporting this kind of improvement or helping you advocate, then maybe it's time to dust off the CV if you personally care about it.
Why? Because most software developers are bad at security (I said most not all).
So yes do all the things at the bottom of this article! Teach security-by-design to all your teams. Make sure they know what OWASP is at least. Make sure you test all the things. Either own or rent red teams.
But if you're a big enough company, you probably also need something centralized like a WAF, because you want defense in depth.
WAFs are far from perfect, but in my experience they are better than not having one in 2023.