With security architecture concepts, there is often the terms Negative Security and Positive Security.
But what are they and which one is better in terms of protection and which one is easier to manage?
If you are familiar with good old antivirus software, you are familiar with AV definitions which need to get updated.
This is is a great example of Negative Security, where you know what is bad and you block only the bad stuff.
Pros: it's easy to manage as someone else does all the hard work for you in identifying the bad things and it can be automatically updated.
Cons: It provides limited protection against attacks, Symantec said in May 2014 that Antivirus is dead. A study found that even after 2 weeks of a 0-day vulnerability, majority of AV vendors didn't have a signature to block them. Symantec: Antivirus is 'DEAD' – no longer 'a moneymaker' • The Register
Is similar to going to a VIP night club for members only. The bouncer has a list of names of those who are invited, only the people on the list are allowed in.
Everyone else is denied.
Pros: It allows you to finely control what is allowed and what is not. It provides a high level of security as each request has to be known.
Cons: In a highly dynamic environment, it's really hard for developers to maintain a list of objects/requests/parameters/cookies/fields/variables, it becomes hard to keep track of. The security engineer who then tries to manage an application security policy around this application is going to have an even harder time.
So what's best for me?
For an website where there is little change to the application logic and content, a positive security model is going to provide highest levels of security and will not be too hard to manage once deployed. There is a bit of tuning of rules to learn the application, but after the initial deployment, changes occur only when there is a change to content or app logic.
In a devops environment where code is created every day and new logic is put into production quickly without much regression testing. Good security hygiene is highly recommended, where the developers have a strong security framework and are trusted to perform peer reviews collaboratively. In such an environment. i'd highly recommend running constant penetration tests with a 3rd party tool like Whitehat Security to help identify any logic flaws and vulnerabilities. In this environment Negative Security will be the easiest to manage for security teams as manually tuning the security policies will be time consuming. Virtual Patching can be leveraged where the output of the penetration tests can be used to create WAF policies to specifically block a vulnerability. So a hybrid of negative security and positive security with virtual patching would be provide a high level of security and medium effort level for management.
What is good security hygiene?
Ensuring your developers are creating secure code from the beginning, not just adding security at the end. It also involved performing penetration testing of all attack surfaces. A penetration test from one organisation may differ widely from another organisation, as it comes down to the logic that is identified and tested by the hacker.
So a penetration test typically takes one week of full time effort per organisation, if there is a complex application, it would take much longer.
In Australia, a penetration test from a reputable organisation is around USD$12K-$20k. So it's an excercise that should be done frequently, but the cost of it means that many organisations do it only once a year.