What Is A Positive Security Model?

A positive security model is one that defines what is allowed and rejects everything else. It is in contrast to a negative security model that defines what is disallowed, while implicitly allowing everything else.

Negative security models are the most common protection models. Most web application security solutions leverage a negative security model that utilizes signatures for specific and previously experienced attacks. To avoid false positives, many organizations tend to reduce the coverage of their negative security policies, focusing on known attack types and thereby resulting in a low protection quality.

What is a Positive Security Model

Watch this Radware Minute episode with Radware’s Uri Dorot to learn what a positive security model is, how it differs from a negative security model and why it is critical to use application protection solutions that use both negative and positive security models.

While a well-tuned policy, based on a negative security protection, can provide reasonable protection against known attacks, it still leaves applications exposed to zero-day attacks. Certain OWASP Top 10 vulnerabilities (broken authentication, broken access control and more) cannot be properly addressed with an application solution that relies solely on a negative security model.

Protecting applications and APIs against zero-day attacks (previously unseen attacks) requires a positive security model that defines the set of transactions allowed, data types and values, and ensures that only a legitimate activity is taking place. For example, if a positive security rule defines the value type allowed for a certain parameter as integer only, it will prevent SQL injection attacks even if no signature is defined for that attack.

Benefits of Combining Positive Security Model with Negative Security Model

The best security coverage, with minimal impact on legitimate traffic, is when a web application firewall combines a negative security model with a positive security model. Combining the two models allows granular and accurate policy definitions, thereby avoiding false positives and false negatives.

The negative security model protection is based on up-to-date signatures against known vulnerabilities that provide the most accurate detection, and blocking technology of application vulnerability exploits. The positive security model is useful in stopping zero-day attacks. The positive security rules and mechanisms allow definition of the value types and value ranges for all client side inputs, included encoded inputs and within structured formats as XMLs and JSONs. The positive security profiles limit the user input, to only the level required by the application to function properly, thus blocking zero-day attacks.

Here are two examples that exemplify the benefits of leveraging a positive security model in conjunction with a negative security model for more comprehensive application protection:


A key element in the parsing of HTTP requests is the processing of XML and JSON inputs to extract the key values pairs for proper inspection. XML and JSON key values are processed by web servers and can be used like any other client input to generate various attacks, such as XML Injection attack.

A web application firewall can parse XML and JSON structures, define the schema and structure of restrictions, and extract key value pairs for detailed parameter inspection via all signatures and rules defined by a positive and negative security model.

API Security

With regards to API traffic, a web application firewall can define the actions allowed, while blocking all access attempts to non-listed API end points or paths. API catalogs, definition of headers, path parameters, and query parameters with a strong schema validation, are all great examples of a positive security model. The value of such an approach is a tighter, more-effective security policy, including the ability to define a positive security model immediately, and without any learning process to effectively secure the APIs.

Benefits of A Positive Security Model and Machine Learning

Most application protection solutions require rules and policies associated with either negative or positive security models to be defined manually, incurring higher operational costs and leading to human errors that may generate false positives.

A web application firewall that automates security policy updates, based on behavioral-based algorithms, implies a positive security model that can automatically learn patterns of legitimate user activities, automatically build security policies customized to allow such activities, and block any action that deviates from these patterns of legitimate behavior.

Radware’s combination of negative and positive security models provides a complete level of protection against OWASP Top 10 threats and zero-day attacks, which WAFs leveraging negative security models cannot stop as they rely on blocklists of known attack signatures.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center