Application Security: Blacklisting or Whitelisting?

Posted: December 12th, 2012
Filed under: IIS & HTTP
Tags: , , , , ,


black list vs white list

Does the Blacklist Approach Work?

Traditionally, IT security is thought of from a threat perspective. It always brings into focus thoughts of protecting the applications, systems and infrastructure from viruses, malware and other threats posed to IT assets. Therefore one is always focused on identifying new threats and making sure they get integrated into the “Blacklist,” an “allow all, except” list that is maintained to protect one’s assets. This is the same principle on which many anti-virus, anti-malware, and other security product providers work. You update the signatures, and the blacklist is updated so you will be protected from a certain threat, which, by the way, is out there in the open known to everyone. While we have our thoughts on whether this approach is truly effective or not in protecting against viruses and malware, our views on application security is very clear. The blacklist approach doesn’t work; especially not today when the attacks have become very sophisticated.

Update all the blacklists!

The Problem(s) with Blacklists…

For one, we are fast reaching a saturation point for the blacklist approach’s effectiveness, as the volume of blacklists that need to be maintained is large and ever growing. As one Senior IT Manager at one of our client’s organizations once put to us, “How much will I filter? There is no end to it.” This is not the first time we have come across this frustration. We recognize this challenge for the drivers of IT in an organization, as their core function is to improve productivity and drive innovation.

And second, because the attack vectors have become complex and the attackers more innovative and skillful in evading detection, the “Blacklist” approach will not work. I was personally seized of this challenge when we were working on putting together an Anti-Spam solution in my earlier stint. The sheer number of SPAM messages meant that some of them would definitely filter through. Unfortunately, the same scenario is now playing out in the Application Vulnerability space, but with potentially disastrous implications.

So You’re Saying I should Whitelist?

So then what is the answer? Well, take the “Whitelist” approach. With the whitelist approach you structure the application to only accept the legitimate functionality and stop everything else. Some simplistically put it as diagonally opposite of blacklisting, i.e. the “deny all except” philosophy. In the past this approach has faced a roadblock because nobody wanted to take a chance of blocking a legitimate transaction. Recognizing this challenge, we are now helping our customers design applications by integrating the whitelist approach. What we do here is sit with the architecture or development team and review the business case for each user input and then work out different solutions of applying a whitelist on these inputs. We believe that this approach works best as now you are only allowing a legitimate functionality to get executed. In what form does this whitelist approach take? It takes many different forms like filtering input characters against an array of allowable characters or doing a comparison of input values against legitimate values from the database.

Using the blacklist approach is like chasing your tail. How long can you do it for before you exhaust yourself?


Until next time, stay safe!

– Hiren

No Comments »

Leave a Reply