Premium Only Content
 
			Why All AppSec Experts Suck – Part 2: The Reality of WAF & RASP with Boris Chen
In Part 2 of the "Why All AppSec Experts Suck" series, I sit down with **Boris Chen**, co-founder of TCell (acquired by Rapid7), to dissect the state of **defensive AppSec products**—particularly **Web Application Firewalls (WAFs)** and **Runtime Application Self-Protection (RASP)**.
We get into the *real challenges* of building effective defenses, navigating the org politics of deploying agent-based tools, and the **technical trade-offs between coverage and depth**. This one’s packed with insights for AppSec engineers, product managers, and security leaders trying to choose or build the right solutions.
🔍 **What you'll learn in this episode:**
- Why WAFs struggle in modern, complex application environments
- The value and limitations of RASP as an inline defense tool
- How org structure impacts RASP rollout more than tech limitations
- Why full language/framework coverage is impossible—and what to do instead
- Where AppSec needs to go next: better layering, observability, and developer collaboration
---
⏱️ **Chapters:**
1. 00:00 – Intro: Series wrap & expert interviews
2. 01:04 – Guest intro: Boris Chen’s AppSec credentials
3. 02:30 – Behavioral detection & user activity insights
4. 03:45 – Framework-specific threats: Java vs. Ruby, etc.
5. 05:15 – Breadth vs. depth: choosing your AppSec strategy
6. 06:20 – Organizational friction in RASP deployment
7. 07:30 – Microservices = micro headaches for security agents
8. 09:00 – Traditional WAFs and their limitations
9. 10:15 – Parsing issues & bypass vulnerabilities
10. 11:40 – Cloud-based analysis: next-gen WAF potential
11. 13:30 – Legacy WAF use cases vs. modern demands
12. 14:55 – Why RASP gives more surgical control
13. 16:30 – The value of live observability in production
14. 18:00 – Developers as first line of defense + layered security
15. 19:00 – Secure-by-design vs. reactive controls
16. 20:30 – Wrap-up: Defense products still matter—just use them wisely
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
- 	
				 54:36 54:36MattMorseTV4 hours ago $24.06 earned🔴The Democrats just SEALED their FATE.🔴41.3K67
- 	
				 8:07:01 8:07:01Dr Disrespect12 hours ago🔴LIVE - DR DISRESPECT - ARC RAIDERS - SOLO RAIDING THE GALAXY119K12
- 	
				 1:32:00 1:32:00Kim Iversen7 hours agoThe World’s Most “Moral” Army — Kills 40 Kids During "Ceasefire" | Socialism's Coming: The Zohran Mamdani Agenda96.8K170
- 	
				 1:04:50 1:04:50TheCrucible6 hours agoThe Extravaganza! EP: 63 with Guest Co-Host: Rob Noerr (10/30/25)82.8K7
- 	
				 LIVE LIVEGritsGG5 hours agoQuads! #1 Most Wins 3880+!97 watching
- 	
				 2:51:31 2:51:31Spartan6 hours agoFirst playthrough of First Berserker Khazan24.5K1
- 	
				 5:48:29 5:48:29The Rabble Wrangler20 hours agoBattlefield 6 - RedSec with The Best in the West26.4K1
- 	
				 37:53 37:53Donald Trump Jr.7 hours agoAmerican Dominance vs Dems' Delusion | TRIGGERED Ep.28744.6K65
- 	
				 1:14:57 1:14:57The White House9 hours agoPresident Trump and the First Lady Participate in Halloween at The White House39.7K28
- 	
				 1:05:02 1:05:02Candace Show Podcast6 hours agoBREAKING NEWS! The Egyptian Military Was In Provo On 9/10. | Candace Ep 25576.8K227