Positive Security Model

What is the best approach to web application security? For many years, the negative security model was the basis of all Web Apllication Firewalls (WAF). Today, this is being supplanted by the positive security model. Before discussing why this is true, some background information will be helpful.

What Is a Positive Security Model?

Positive security is the opposite of negative security (the more traditional approach):

• Negative security allows all HTTP/S traffic, except for traffic that is identified to be hostile.
• Positive security rejects all HTTP/S traffic, except for traffic that is identified to be legitimate.

These two approaches are sometimes known as the “blacklisting” model and the “whitelisting” model, respectively:

• Under a negative security model, the admin must define all the characteristics of undesirable traffic so it can be specifically rejected (blacklisted).
• Under a positive security model, the admin must define all the characteristics of desirable traffic, so it can be specifically allowed (whitelisted).

For decades, negative security was the typical approach. Today, positive security is also becoming popular, especially in next-generation WAFs. Why is this true?

Why Is it More Effective Than a Negative Security Model?

There are several flaws with the negative security model, including:

• Growing difficulty. A negative security model is only as good as the rules defined for it. Since the admin must set parameters for what qualifies as a “threat,” any weakness in the criteria could allow attack traffic to slip through. As the modern threat environment has grown more complex, it has become more difficult to correctly and completely define the characteristics of hostile traffic.
• False negatives. For a negative security model, false negatives are an issue. When a false negative occurs, the security system did not detect a threat, and it allowed the attack to be waged. Clearly, false negative alarms can have devastating consequences.
• Exploitability. Most, if not all, of the cyberattacks and system breaches that are reported in the news are the result of skilled attackers circumventing the target’s negative security model.
• Key vulnerabilities. The Open Web Application Security Project (OWASP) Top 10 is a list of top web application security risk. While a negative security model can mitigate some of them, for others (such as cross-site scripting and broken access control) it cannot.
• Demand for ongoing updates. A negative security model requires ongoing and frequent updates, because hackers are continuously updating and improving their attack techniques.  who are constantly changing their approach. A negative security model is only effective against the threats that are proactively identified within the system. Therefore, for the security system to remain relevant, an admin must add new criteria regularly. This administrative burden is time-intensive at best, and at worst, a critical update could be missed and an attack could be allowed through.

Are There Any Downsides to the Positive Security Model?

The negative security model has a lot of weaknesses, making the positive security model favorable by contrast. But are there any downsides or issues with the positive security model?

The short answer is yes. For starters, the positive security model is much harder, time-intensive, and expensive to implement. Admins must establish rules and criteria to allow only acceptable requests through, which can be very difficult. Data types, structures and syntaxes, input characters, and value ranges all must be considered—and this is a complex undertaking even for experienced cybersecurity experts.

Additionally, the positive security model opens the door to false positive alarms. With the negative security model, false negatives are the issue—it’s possible for a genuine threat to get through your layers of security. But with a positive security model, the more common problems are flagged threats that aren’t threats at all, resulting in annoyance and unnecessary time waste.

Lastly, in some cases, a positive security model is (for lack of a better term) overkill. While there are many types of threats that can sneak past a negative security model, the negative model is sufficient to block the majority of the biggest and most common threats.

That being said, a negative security model will still miss detecting some threats. A positive security model is, by its nature, much more likely to catch the attacks that a negative security model may miss.

Conclusion

To achieve the best possible protection for an organization, the most popular modern approach is to employ a hybrid approach. A negative security model can filter out the most obvious and hostile threats, while whitelisting and input validation can be employed for requests that pass through the first barrier of defense.

Do you have any questions on this topic? Our security experts will be happy to talk to you about a suitable security concept.

Contact us now >>

Share this post