Premium Only Content

Why All AppSec Experts Suck – Part 2: The Reality of WAF & RASP with Boris Chen
In Part 2 of the "Why All AppSec Experts Suck" series, I sit down with **Boris Chen**, co-founder of TCell (acquired by Rapid7), to dissect the state of **defensive AppSec products**—particularly **Web Application Firewalls (WAFs)** and **Runtime Application Self-Protection (RASP)**.
We get into the *real challenges* of building effective defenses, navigating the org politics of deploying agent-based tools, and the **technical trade-offs between coverage and depth**. This one’s packed with insights for AppSec engineers, product managers, and security leaders trying to choose or build the right solutions.
🔍 **What you'll learn in this episode:**
- Why WAFs struggle in modern, complex application environments
- The value and limitations of RASP as an inline defense tool
- How org structure impacts RASP rollout more than tech limitations
- Why full language/framework coverage is impossible—and what to do instead
- Where AppSec needs to go next: better layering, observability, and developer collaboration
---
⏱️ **Chapters:**
1. 00:00 – Intro: Series wrap & expert interviews
2. 01:04 – Guest intro: Boris Chen’s AppSec credentials
3. 02:30 – Behavioral detection & user activity insights
4. 03:45 – Framework-specific threats: Java vs. Ruby, etc.
5. 05:15 – Breadth vs. depth: choosing your AppSec strategy
6. 06:20 – Organizational friction in RASP deployment
7. 07:30 – Microservices = micro headaches for security agents
8. 09:00 – Traditional WAFs and their limitations
9. 10:15 – Parsing issues & bypass vulnerabilities
10. 11:40 – Cloud-based analysis: next-gen WAF potential
11. 13:30 – Legacy WAF use cases vs. modern demands
12. 14:55 – Why RASP gives more surgical control
13. 16:30 – The value of live observability in production
14. 18:00 – Developers as first line of defense + layered security
15. 19:00 – Secure-by-design vs. reactive controls
16. 20:30 – Wrap-up: Defense products still matter—just use them wisely
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
LIVE
Mark Kaye
1 hour ago🔴 Schumer BUSTED Celebrating Democrat Shutdown!
955 watching -
1:00:33
Timcast
2 hours agoTrump To Declare Antifa FOREIGN Terrorist Org, Antifa Leaders FLEE Country
120K46 -
2:41:53
MattMorseTV
3 hours ago $4.58 earned🔴Trump's Cabinet Meeting BOMBSHELL.🔴
40.7K27 -
DVR
Neil McCoy-Ward
1 hour ago🔥 SHOCK! What She Just DECLARED Over The 🇺🇸 USA & Trump!
5.17K2 -
LIVE
Rebel News
56 minutes agoLive from ostrich farm, Trump lists Antifa as terrorists, Poilievre calls out Carney | Rebel Roundup
338 watching -
1:23:28
The White House
3 hours agoPresident Trump Hosts a Cabinet Meeting, Oct. 9, 2025
3.71K8 -
LIVE
TheAlecLaceShow
1 hour agoTrump Makes Peace With Israel & Hamas | RIP Antifa | Guest: Shane Winnings | The Alec Lace Show
29 watching -
1:00:36
The Rubin Report
3 hours agoWatch the Exact Moment Donald Trump Knew He Pulled Off Impossible Israel-Hamas Peace Deal
36K22 -
LIVE
The Shannon Joy Show
3 hours agoAI Mega Bubble - $1 Trillion Tech Scheme Raises Red Flags - LIVE W/ Rocket Dollar CEO Henry Yoshida
194 watching -
1:33:41
Dinesh D'Souza
13 hours agoDragon's Prophecy Film
39.4K14