Getty Images
Positive vs. negative security: Choosing an AppSec model
Understand the benefits and challenges of positive and negative security models to determine how to best protect web apps in your organization.
An effective application security model is essential to protecting apps from threats and vulnerabilities. Two common models are positive security and negative security. While both approaches secure applications, they do so in different ways.
In general, positive security models only allow approved traffic and actions and deny other requests, and negative security models block known malicious traffic and actions and allow everything else.
Let's compare positive and negative security for AppSec and examine how to choose which to implement.
What is positive security?
Positive security models define what is allowed and disallow everything else. In terms of AppSec, positive security involves taking a default-deny approach by allowlisting approved behaviors, traffic, services and entities for web apps and denying what is not explicitly allowed.
The benefits of positive security for AppSec include the following:
- Prevents zero-day attacks because only allowed behavior and traffic is approved to interact with the web apps.
- Reduces false positives of unknown malicious behavior and traffic because it only allows approved inbound traffic and actions.
- Improves overall attack surface security because only approved behaviors and traffic are allowed.
A top challenge of positive security is management complexity. Security teams need to regularly update allowlists to ensure legitimate and approved behaviors and traffic are permitted.
What is negative security?
Negative security models define what is not allowed and permit everything else. In terms of AppSec, negative security involves taking a default-allow approach by blocklisting known bad behaviors, traffic, services and entities for web apps.
The benefits of negative security include the following:
- Simplifies initial implementation because the focus is on preventing known malicious threats.
- Reduces UX friction because all traffic is allowed except that on the blocklist.
- Enables better flexibility for agile organizations because it does not prevent unknown good behaviors.
A top challenge of negative security is that, because it only stops blocklisted behavior, new and unknown threats might slip past.
Comparing positive vs. negative security
The goal of both models is to block unwanted traffic and behaviors and permit good traffic and behaviors. The differences are in how they handle traffic and behaviors.
| Attribute |
Positive security model |
Negative security model |
| Primary activity |
Permits only behaviors and traffic defined as safe; all others are blocked. |
Blocks only behaviors and traffic defined as unsafe; all others are permitted. |
| Technical approach |
Default-deny using allowlists. |
Default-allow using blocklists. |
| Security |
Considered more secure because it prevents unknown threats from passing through. |
Considered somewhat less secure because unknown threats could pass through. |
| Ease of use |
More complex to implement; higher ongoing maintenance effort; more technical. |
Simpler to implement; requires updates as new threats emerge; less technical. |
| Pros |
Strong security; limits attack surfaces; effective against sophisticated and unknown threats. |
Simpler implementation and maintenance; preconfigured protections; reduces false positives. |
| Cons |
Resource-intensive; complex implementation; increased false positives. |
Vulnerable to unknown and zero-day threats; increased false negatives. |
How to choose between positive and negative security models
Either model can deter malware and other malicious activity in the right situation. When looking at positive and negative security models, first examine existing and prior trends in network traffic, user behaviors and security breaches and attacks. Determine which type of security model fits best within those parameters.
Consider a positive security model in the following scenarios:
- The organization needs strict control over device access, network access and system interactions.
- The organization uses apps and networks that access highly sensitive data, such as in banking, finance, healthcare and government.
- When understanding good behavior and traffic is more important.
- When the operating environment and infrastructure have predictable, known and understood users and activities.
In the finance industry, for example, banks use positive security to validate customer transactions. It helps prevent fraud by ensuring only approved customers and transactions are permitted.
Consider a negative security model in the following scenarios:
- The network environment and infrastructure are more fast-moving, requiring more flexibility and adaptability regarding web app access.
- The organization requires real-time threat detection without any limiting factors.
- When known threats and attacks frequently target the environment.
- When the organization can quickly and easily update the rules for identifying and blocking suspicious signatures.
Negative security works well for rapidly evolving apps, resource-constrained organizations and specific security measures -- for example, to identify and block known malware and ransomware variants.
Take a hybrid approach
In most cases, it's not a question of positive security versus negative security but positive security and negative security.
Organizations should consider a hybrid approach to reap the benefits of both models. For example, use a negative security model as an initial prevention method to stop known malicious behaviors and traffic. Add positive security features to strengthen defensive efforts and prevent zero-day threats.
Organizations that adopt a zero-trust security architecture often use a hybrid model. This permits only authorized users to access an app while continuously monitoring for threat actors.
Regardless of the approach, the goal of any AppSec model is to create a strong application security program that reduces malware, ransomware and other threats and vulnerabilities by detecting and mitigating damage before it occurs.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
