In Part 2 of the "Why All AppSec Experts Suck" series, I sit down with *Boris Chen**, co-founder of TCell (acquired by Rapid7), to dissect the state of **defensive AppSec products**—particularly **Web Application Firewalls (WAFs)* and **Runtime Application Self-Protection (RASP)**.

We get into the real challenges of building effective defenses, navigating the org politics of deploying agent-based tools, and the **technical trade-offs between coverage and depth**. This one’s packed with insights for AppSec engineers, product managers, and security leaders trying to choose or build the right solutions.

🔍 *What you'll learn in this episode:*
Why WAFs struggle in modern, complex application environments
The value and limitations of RASP as an inline defense tool
How org structure impacts RASP rollout more than tech limitations
Why full language/framework coverage is impossible—and what to do instead
Where AppSec needs to go next: better layering, observability, and developer collaboration

---

⏱️ *Chapters:*
1. 00:00 – Intro: Series wrap & expert interviews
2. 01:04 – Guest intro: Boris Chen’s AppSec credentials
3. 02:30 – Behavioral detection & user activity insights
4. 03:45 – Framework-specific threats: Java vs. Ruby, etc.
5. 05:15 – Breadth vs. depth: choosing your AppSec strategy
6. 06:20 – Organizational friction in RASP deployment
7. 07:30 – Microservices = micro headaches for security agents
8. 09:00 – Traditional WAFs and their limitations
9. 10:15 – Parsing issues & bypass vulnerabilities
10. 11:40 – Cloud-based analysis: next-gen WAF potential
11. 13:30 – Legacy WAF use cases vs. modern demands
12. 14:55 – Why RASP gives more surgical control
13. 16:30 – The value of live observability in production
14. 18:00 – Developers as first line of defense + layered security
15. 19:00 – Secure-by-design vs. reactive controls
16. 20:30 – Wrap-up: Defense products still matter—just use them wisely

---

📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
SAST: Static Application Security Testing
DAST: Dynamic Application Security Testing
IAST: Interactive Application Security Testing
SCA: Software Composition Analysis
WAF: Web Application Firewall
RASP: Runtime Application Self-Protection (Next-Gen WAF)
Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](   • Why All AppSec Products Suck  )

---

🌐 *Explore More*
Website: danondev.com/
Twitter: @Dan_On_Dev
Instagram: @dan_on_dev
Facebook: @dano