If someone has implemented WAF(Web Application Firewall), does he still need to conduct Penetration testing?

Nasrumminallah Zeeshan http://www.twitter.com/Nz_Hacktivist YES, he do needs Penetration Testing. Having Firewall on is not enough for satisfaction, and if you are in a network having multiple computers also connected to the Internet, you have a great chance to be hacked. Hackers perform different techniques to trap your security like, they can bypass firewalls by exploiting security weaknesses in them, and also they can do it by techniques like Port Forwarding. Good Day.

Yes, you do multiple times.You’ll need to conduct a pen test on the WAF itself before installing it in your infrastructure. Conduct a pen test directly on the Web app (without the WAF) itself.  After the WAF is installed and working in blocking mode,  conduct another pen-test of the web app behind the WAF, to ensure, the WAF is protecting the Web app. Conduct a vulnerability scan of the WAF in blocking mode and remediate any medium to highs on WAF, for defence in depth, make code secure.  Conduct a performance test prior the inserting of the WAF, Conduct a performance test after the placement of the  WAF. Measure the latency caused by adding a the WAF.  Is this latency acceptable?

Yes, a WAF cannt do all packet level filtering, it must be strictly going through a web application penetration tester before any intrusion which is likely to arise. It's not the language which has flaws, it's the code logic. There are business logic vulnerabilities as well which a WAF cannot apprehend to.

WAF cannot stop attacks related to business logic vulnerabilities. You can check out the following article and checklist on business logic vulnerabilities... http://www.ivizsecurity.com/blog/penetration-testing/must-know-business-logic-vulnerabilities-in-banking-applications/ http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html