Blacklisting Meets Whitelisting

4:35 PM -- While enumerating the badness of traffic and applications is the typical approach with security tools, coming up with a list of all bad things is difficult. This is exactly why many application developers write code that's exploitable: They try to block what they think is bad, but the better option is to only allow what's good or necessary for the application.

Whitelisting represents the way developers should be coding: Whitelists define what is good and allow only authorized applications to run. And after years of fighting a losing battle against malware, antivirus vendors are looking at whitelisting and other additional methods of protecting endpoints because signatures, heuristics, and behavioral methods aren't foolproof. Whitelisting is far from a new concept, however. (See A-Listing Your Apps.)

Earlier this month, Bit9 and Kaspersky Lab announced a partnership where Kaspersky will leverage Bit9's knowledge base of applications to provide whitelisting. And Kaspersky will include the whitelist feature in the next software release (version 8.0) of its endpoint protection suite -- AV, firewall, host-based IPS, and behavioral detection -- due in the first half of 2008.

If you've never considered whitelisting, it may sound like a great idea at first, until you realize just how many applications exist in the world and how many of them actually live on your users' computers. Imagine that you have a large, geographically diverse environment with mobile and stationary users. How do you go about enumerating all of the applications in use? Existing whitelisting solutions, from companies like Lumension and Bit9, usually have a monitor mode for this process, but it can be an unwieldy task unless you're in a small, tightly controlled environment.

It will be interesting to see the integration of whitelisting into antivirus products from Kaspersky, as well as Symantec, which calls whitelisting the future of security technology. The adoption of whitelisting by antivirus vendors could dispel concerns of it being too cumbersome a technology due to its administrative overhead. And whitelisting could evolve into a mainstream solution to secure hosts from the onslaught of malware and client-side attacks.

If you're considering whitelisting or have already implemented it, I'd like to hear about your experience. Leave us a comment using the link below.

-- John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading