Positive Security vs Negative Security

Positive Security vs. Negative Security

In terms of security, positive security is the inverse of negative security. Negative security allows all HTTP/S traffic in the absence of traffic that has been identified as hostile. Except for legitimate traffic, positive security rejects all HTTP/S traffic.
Choosing a security model is based on the network and content types you want to protect.
In the network, there are two security models.

What is Positive Security Model?

This model is also referred to as a whitelist model.

  • When using the positive security model, all traffic is denied except for necessary for the network.
  • All of the network's firewalls use this model.
  • When this security model is implemented, zero-day attacks are significantly reduced or eliminated.
  • It generates more false positives than the negative security model because it blocks everything related to an application until you specify it.
  • If an application's change comes or is modified, a new policy must be created to ensure the application continues to function.
  • When it comes to web application security, the positive security model is recommended.

What is the Negative Security Model?

The blacklist model is another name for the negative security model.

  • Everything must be permitted to make a negative security model work while only the network's requirements are denied.
  • This model is used by anti-virus and intrusion prevention systems (IPS/IDS) in the network.
  • Using a negative security model in a network has several advantages, the most important of which is that it can be implemented quickly.
  • When a negative security model is used, false positives do not go up because it allows everything linked to an application while rejecting anything manually specified.
  • Because of the way it behaves, the Negative Security Model is unable to prevent zero-day attacks.
  • Anti-spam and antivirus software should be protected using a negative security model.

Factors to consider when selecting a model: negative security model vs. positive security model

There are many factors to consider to choose which model is best for your business.

  • The number of things
  • Variety of available content
  • changes to the content
Using the positive security model is advised when a website has fewer objects (such as 50 objects) and only visuals and texts.
If, for example, a website has many objects (such as 500 objects) and its content changes frequently, the negative security model should be used.

Pros and Cons: positive security vs. negative security

Positive security model

The positive WAF intends to grant access to specific characters or rules. Adding rules expands access, whereas not having rules by default blocks everything. Because everything that is not explicitly allowed is blocked, this model has the advantage of restricting an attacker's vectors.
For this approach to work, the company adopting it must take extra care and input to avoid blocking legitimate customers due to excessively strict rules.
A few "whitelisting" rounds should clear up any confusion (creating rules for legitimate actions).
You determine what is legitimate; everything else is barred from consideration.
  • Pros: This model offers significantly better security than the negative one.
  • Cons: To avoid blocking legitimate visitors, "Whitelisting" is required.

Negative security model


Most attackers are assumed to be using well-known techniques in this model. Security for clients is as simple as updating their Web Application Firewall to block vulnerabilities and fix new vulnerabilities.
A further advantage of this design is that it reduces the risk of blocking legitimate users by stopping only known illegal activities. Since it relies on the WAF team to stay current with exploits, this model opens the door to un explicitly blocked attacks.
Because new exploits are discovered daily, you may fall victim to one that has not yet reached your WAF administrator, leaving you vulnerable. WAFs based on signatures must be updated constantly. The majority of antivirus software vendors still had not released updates for zero-day exploits. Not a zero-day attack, but a 14-day attack nonetheless.
You get to decide what's accurate and what isn't, and anything else is excellent.
  • Pros: It's usually easier to put into practice.
  • Cons: You're vulnerable to zero-day attacks because your WAF doesn't have signatures for those vectors.

Read more about Positive Security and Negative Security