Conclusion
These best practices rely on solid web application security policies. So, make sure you have no wildcards in your policy, such as one that says, "let in all traffic." Second, do not rely solely on signature sets, as you'll be chasing new signatures on a continuous basis. In fact, it's better to spend time upfront whitelisting the good in your WAF or bot detection and mitigation solution rather than continually updating all of the bad that could possibly be thrown at your application.
Finally, the best web application security policies are dynamic. This means you should make it an integral part of QA testing every time you update application code. But with a solid baseline in place from profiling your web applications, this should become as routine as brushing your teeth.