Hello @dhikra-marghli8 

The positive Security Model and negative Security Model represent two different approaches to enforcing security policies, and they are often associated with the concepts of whitelisting and blacklisting, respectively.

Positive Security Model (Whitelist Model)

All traffic is denied by default, and only explicitly allowed actions or behaviors are permitted. it operates on the principle of specifying what is allowed and blocking everything else. Commonly used in firewalls and application whitelisting solutions. Network access is restricted to only necessary functions.

Effective against zero-day attacks because any new or unknown activity is automatically blocked. Tends to generate more false positives because it blocks everything until explicitly permitted. And it requires continuous policy updates to accommodate changes in applications.

Recommended for web application security where a precise definition of allowed actions is crucial.

Negative Security Model (Blacklist Model)

Everything is permitted by default, and only explicitly prohibited actions or behaviors are blocked. It operates on the principle of specifying what is not allowed and allowing everything else. Commonly used in intrusion prevention systems (IPS/IDS), antivirus, and anti-spam solutions. Network access is generally more open but relies on identifying and blocking known threats. 

Less effective against zero-day attacks because it relies on recognizing and blocking known patterns. Tends to have fewer false positives since it allows everything unless explicitly blocked.

Suitable for quickly implementing security measures, but may be less effective against emerging threats.

--

The positive security model is often considered more robust for certain applications, while the negative security model can provide a quicker and broader level of protection.