Why All AppSec Experts Suck – Part 2: The Reality of WAF & RASP with Boris Chen

In Part 2 of the "Why All AppSec Experts Suck" series, I sit down with **Boris Chen**, co-founder of TCell (acquired by Rapid7), to dissect the state of **defensive AppSec products**—particularly **Web Application Firewalls (WAFs)** and **Runtime Application Self-Protection (RASP)**.

We get into the *real challenges* of building effective defenses, navigating the org politics of deploying agent-based tools, and the **technical trade-offs between coverage and depth**. This one’s packed with insights for AppSec engineers, product managers, and security leaders trying to choose or build the right solutions.

🔍 **What you'll learn in this episode:**
- Why WAFs struggle in modern, complex application environments
- The value and limitations of RASP as an inline defense tool
- How org structure impacts RASP rollout more than tech limitations
- Why full language/framework coverage is impossible—and what to do instead
- Where AppSec needs to go next: better layering, observability, and developer collaboration

---

⏱️ **Chapters:**
1. 00:00 – Intro: Series wrap & expert interviews
2. 01:04 – Guest intro: Boris Chen’s AppSec credentials
3. 02:30 – Behavioral detection & user activity insights
4. 03:45 – Framework-specific threats: Java vs. Ruby, etc.
5. 05:15 – Breadth vs. depth: choosing your AppSec strategy
6. 06:20 – Organizational friction in RASP deployment
7. 07:30 – Microservices = micro headaches for security agents
8. 09:00 – Traditional WAFs and their limitations
9. 10:15 – Parsing issues & bypass vulnerabilities
10. 11:40 – Cloud-based analysis: next-gen WAF potential
11. 13:30 – Legacy WAF use cases vs. modern demands
12. 14:55 – Why RASP gives more surgical control
13. 16:30 – The value of live observability in production
14. 18:00 – Developers as first line of defense + layered security
15. 19:00 – Secure-by-design vs. reactive controls
16. 20:30 – Wrap-up: Defense products still matter—just use them wisely

---

📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)

---

🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev