A positive security model is one that defines what is allowed and rejects everything else. It is in contrast to a negative security model that defines what is disallowed, while implicitly allowing everything else.
Negative security models are the most common protection models. Most web application security solutions leverage a negative security model that utilizes signatures for specific and previously experienced attacks. To avoid false positives, many organizations tend to reduce the coverage of their negative security policies, focusing on known attack types and thereby resulting in a low protection quality.
Watch this Radware Minute episode with Radware’s Uri Dorot to learn what a positive security model is, how it differs from a negative security model and why it is critical to use application protection solutions that use both negative and positive security models.
While a well-tuned policy, based on a negative security protection, can provide reasonable protection against known attacks, it still leaves applications exposed to zero-day attacks. Certain OWASP Top 10 vulnerabilities (broken authentication, broken access control and more) cannot be properly addressed with an application solution that relies solely on a negative security model.
Protecting applications and APIs against zero-day attacks (previously unseen attacks) requires a positive security model that defines the set of transactions allowed, data types and values, and ensures that only a legitimate activity is taking place. For example, if a positive security rule defines the value type allowed for a certain parameter as integer only, it will prevent SQL injection attacks even if no signature is defined for that attack.
Benefits of Combining Positive Security Model with Negative Security Model
The best security coverage, with minimal impact on legitimate traffic, is when a web application firewall combines a negative security model with a positive security model. Combining the two models allows granular and accurate policy definitions, thereby avoiding false positives and false negatives.
The negative security model protection is based on up-to-date signatures against known vulnerabilities that provide the most accurate detection, and blocking technology of application vulnerability exploits. The positive security model is useful in stopping zero-day attacks. The positive security rules and mechanisms allow definition of the value types and value ranges for all client side inputs, included encoded inputs and within structured formats as XMLs and JSONs. The positive security profiles limit the user input, to only the level required by the application to function properly, thus blocking zero-day attacks.
Here are two examples that exemplify the benefits of leveraging a positive security model in conjunction with a negative security model for more comprehensive application protection:
XML and JSON
A key element in the parsing of HTTP requests is the processing of XML and JSON inputs to extract the key values pairs for proper inspection. XML and JSON key values are processed by web servers and can be used like any other client input to generate various attacks, such as XML Injection attack.
A web application firewall can parse XML and JSON structures, define the schema and structure of restrictions, and extract key value pairs for detailed parameter inspection via all signatures and rules defined by a positive and negative security model.
With regards to API traffic, a web application firewall can define the actions allowed, while blocking all access attempts to non-listed API end points or paths. API catalogs, definition of headers, path parameters, and query parameters with a strong schema validation, are all great examples of a positive security model. The value of such an approach is a tighter, more-effective security policy, including the ability to define a positive security model immediately, and without any learning process to effectively secure the APIs.
Benefits of A Positive Security Model and Machine Learning
Most application protection solutions require rules and policies associated with either negative or positive security models to be defined manually, incurring higher operational costs and leading to human errors that may generate false positives.
A web application firewall that automates security policy updates, based on behavioral-based algorithms, implies a positive security model that can automatically learn patterns of legitimate user activities, automatically build security policies customized to allow such activities, and block any action that deviates from these patterns of legitimate behavior.
Radware’s combination of negative and positive security models provides a complete level of protection against OWASP Top 10 threats and zero-day attacks, which WAFs leveraging negative security models cannot stop as they rely on blocklists of known attack signatures.