<p>An effective application security model is essential to protecting apps from threats and vulnerabilities. Two common models are positive security and negative security. While both approaches secure applications, they do so in different ways.</p><div class="ad-wrapper ad-embedded"> <div id="halfpage" class="ad ad-hp"> <script>GPT.display('halfpage')</script> </div> <div id="mu-1" class="ad ad-mu"> <script>GPT.display('mu-1')</script> </div> </div> <p>In general, positive security models only allow approved traffic and actions and deny other requests, and negative security models block known malicious traffic and actions and allow everything else.</p> <p>Let's compare positive and negative security for AppSec and examine how to choose which to implement.</p> <section class="section main-article-chapter" data-menu-title="What is positive security?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is positive security?</h2> <p>Positive security models define what is allowed and disallow everything else. In terms of AppSec, positive security involves taking a default-deny approach by <a href="https://www.techtarget.com/whatis/definition/whitelist">allowlisting</a> approved behaviors, traffic, services and entities for web apps and denying what is not explicitly allowed.</p> <p>The benefits of positive security for AppSec include the following:</p> <ul class="default-list"> <li>Prevents zero-day attacks because only allowed behavior and traffic is approved to interact with the web apps.</li> <li>Reduces false positives of unknown malicious behavior and traffic because it only allows approved inbound traffic and actions.</li> <li>Improves overall <a href="https://www.darkreading.com/cyberattacks-data-breaches/6-attack-surfaces-you-must-protect">attack surface</a> security because only approved behaviors and traffic are allowed.</li> </ul> <p>A top challenge of positive security is management complexity. Security teams need to regularly update allowlists to ensure legitimate and approved behaviors and traffic are permitted.</p></section> <section class="section main-article-chapter" data-menu-title="What is negative security?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is negative security?</h2> <p>Negative security models define what is not allowed and permit everything else. In terms of AppSec, negative security involves taking a default-allow approach by <a href="https://www.techtarget.com/searchsecurity/tip/Allowlisting-vs-blocklisting-Benefits-and-challenges">blocklisting</a> known bad behaviors, traffic, services and entities for web apps.</p> <p>The benefits of negative security include the following:</p> <ul class="default-list"> <li>Simplifies initial implementation because the focus is on preventing known malicious threats.</li> <li>Reduces UX friction because all traffic is allowed except that on the blocklist.</li> <li>Enables better flexibility for agile organizations because it does not prevent unknown good behaviors.</li> </ul> <p>A top challenge of negative security is that, because it only stops blocklisted behavior, new and unknown threats might slip past.</p></section> <section class="section main-article-chapter" data-menu-title="Comparing positive vs. negative security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Comparing positive vs. negative security</h2> <p>The goal of both models is to block unwanted traffic and behaviors and permit good traffic and behaviors. The differences are in how they handle traffic and behaviors.</p> <table class="main-article-table"> <thead> <tr> <td> <p><span style="color: #ecf0f1;"><b>Attribute</b></span></p> </td> <td style="width: 158.0pt;"> <p><span style="color: #ecf0f1;"><b>Positive security model</b></span></p> </td> <td style="width: 162.0pt;"> <p><span style="color: #ecf0f1;"><b>Negative security model</b></span></p> </td> </tr> </thead> <tbody> <tr> <td> <p>Primary activity</p> </td> <td valign="top" style="width: 158.0pt;"> <p>Permits only behaviors and traffic defined as safe; all others are blocked.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Blocks only behaviors and traffic defined as unsafe; all others are permitted.</p> </td> </tr> <tr> <td> <p>Technical approach</p> </td> <td valign="top" style="width: 158.0pt;"> <p>Default-deny using allowlists.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Default-allow using blocklists.</p> </td> </tr> <tr> <td> <p>Security</p> </td> <td valign="top" style="width: 158.0pt;"> <p>Considered more secure because it prevents unknown threats from passing through.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Considered somewhat less secure because unknown threats could pass through.</p> </td> </tr> <tr> <td> <p>Ease of use</p> </td> <td valign="top" style="width: 158.0pt;"> <p>More complex to implement; higher ongoing maintenance effort; more technical.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Simpler to implement; requires updates as new threats emerge; less technical.</p> </td> </tr> <tr> <td> <p>Pros</p> </td> <td valign="top" style="width: 158.0pt;"> <p>Strong security; limits attack surfaces; effective against sophisticated and unknown threats.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Simpler implementation and maintenance; preconfigured protections; reduces false positives.</p> </td> </tr> <tr> <td> <p>Cons</p> </td> <td valign="top" style="width: 158.0pt;"> <p>Resource-intensive; complex implementation; increased false positives.</p> </td> <td valign="top" style="width: 162.0pt;"> <p>Vulnerable to unknown and zero-day threats; increased false negatives.</p> </td> </tr> </tbody> </table></section> <section class="section main-article-chapter" data-menu-title="How to choose between positive and negative security models"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to choose between positive and negative security models</h2> <p>Either model can deter malware and other malicious activity in the right situation. When looking at positive and negative security models, first examine existing and prior trends in network traffic, user behaviors and security breaches and attacks. Determine which type of security model fits best within those parameters.</p> <p>Consider a positive security model in the following scenarios:</p> <ul class="default-list"> <li>The organization needs s<strong>trict</strong><strong> </strong><strong>control</strong> over device access, network access and system interactions.</li> <li>The organization uses apps and networks that access highly sensitive data, such as in banking, finance, healthcare and government.</li> <li>When understanding good behavior and traffic is more important.</li> <li>When the operating environment and infrastructure have predictable, known and understood users and activities.</li> </ul> <p>In the finance industry, for example, banks use positive security to validate customer transactions. It helps prevent fraud by ensuring only approved customers and transactions are permitted.</p> <p>Consider a negative security model in the following scenarios:</p> <ul class="default-list"> <li>The network environment and infrastructure are more fast-moving, requiring more flexibility and adaptability regarding web app access.</li> <li>The organization requires real-time <a href="https://www.techtarget.com/searchsecurity/definition/threat-detection-and-response-TDR">threat detection</a> without any limiting factors.</li> <li>When known threats and attacks frequently target the environment<strong>.</strong></li> <li>When the organization can quickly and easily update the rules for identifying and blocking suspicious signatures.</li> </ul> <p>Negative security works well for rapidly evolving apps, resource-constrained organizations and specific security measures -- for example, to identify and block known malware and ransomware variants.</p></section> <section class="section main-article-chapter" data-menu-title="Take a hybrid approach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Take a hybrid approach</h2> <p>In most cases, it's not a question of positive security <i>versus</i> negative security but positive security <i>and</i> negative security.</p> <p>Organizations should consider a hybrid approach to reap the benefits of both models. For example, use a negative security model as an initial prevention method to stop known malicious behaviors and traffic. Add positive security features to strengthen defensive efforts and prevent zero-day threats.</p> <p>Organizations that adopt a <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-most-important-pillars-of-a-zero-trust-framework">zero-trust security architecture</a> often use a hybrid model. This permits only authorized users to access an app while continuously monitoring for threat actors.</p> <p>Regardless of the approach, the goal of any AppSec model is to create a strong <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-application-security-program">application security program</a> that reduces malware, ransomware and other threats and vulnerabilities by detecting and mitigating damage before it occurs.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing. </i></p></section>
