First of all, I'd say that in security it's best not think in terms of options, but to try and combine different alternatives to provide maximum security.
Application firewalls protect the application layer, normally protecting HTTP communications from attacks like SQL or script injection. Be wary of simplistic pattern-based firewalls, as the attacks might be new and not in the database or more likely will be designed not to be easily detected.
The best solution is to constrain a program's input and output only to accept or output expected data. An example of this is to limit the input length, and only allow numbers when accepting numeric data like credit cards or current age. But there are problems with constraining data, as sometimes the data is unexpectedly long (surnames) or will contain illegal characters (passwords).
Before releasing any Web application to the public, it should then be subjected to static and dynamic source code reviews to validate it has been developed correctly. Finally the program language you choose is also important, because filters built into the language will help prevent many common Web-based attacks. It is wise to learn about the protective mechanisms built into your chosen programming language, and make good use of them.
Protection is sometimes provided by frameworks which support multiple languages and sometimes within variations of the same programming language from different vendors. Check online security sites to see the number of vulnerabilities associated with the language.
Unfortunately, even when adequate protection is offered -- such as the various .Net framework validation controls -- few developers seem to use them, probably because they lack awareness or training.
Related Q&A from Richard Brain
Managing vulnerabilities involves a wide array of security testing, including both dynamic and static source code analysis. Learn how the two differ,... Continue Reading
Which browsers are secure enough for enterprise use, and which should be avoided at all costs? In this expert response, Richard Brain examines the ... Continue Reading
Google cloud applications aren't necessarily known for their security. In this expert response, learn what to watch out for when considering using ... Continue Reading