application blacklisting (application blocklisting)

What is application blacklisting (application blocklisting)?

Application blacklisting -- increasingly called application blocklisting -- is a network or computer administration practice used to prevent the execution of undesirable software programs. Such programs include those known to contain security threats or vulnerabilities and those deemed inappropriate in a given organization or a group inside that organization.

Application blacklisting is sometimes referred to as just blacklisting (or blocklisting). However, this usage often leads to confusion because the term can just as easily apply to other types of blacklisting, such as URLs, countries, network domains or individual users.

Blacklisting, a method most antivirus programs and intrusion prevention/detection systems and spam filters use, works by maintaining a list of applications that are to be denied system access and preventing them from installing or running.

Application blacklisting became and remained a popular protection strategy because it is generally straightforward to implement and maintain. However, because the number, variety and complexity of threats are constantly increasing, a blacklist can never protect against all threats, especially zero-day threats that are unknown. Even so, blacklisting can still protect against known threats while providing users with flexibility to run different applications when they need them. Blacklisting is also a valuable tool for preventing workers on managed devices from downloading and running applications that might impact productivity, such as games or social networking applications.

What is whitelisting vs blacklisting?

The opposite approach to application blacklisting is application whitelisting (application allowlisting). With this tactic, administrators maintain a list of authorized applications permitted on the network or managed devices. When a user or service tries to install or execute an application, it is automatically checked against the list. If it's not on the list, it is not permitted to run.

Whitelisting is generally believed to be a more effective solution than blacklisting for protecting the network and managed devices from cyberthreats. However, some security experts argue that although whitelisting is a more effective solution, it is not always practical because of the administrative resources required to create and maintain an effective whitelist. In addition, the whitelisting approach can be somewhat restrictive when trying to accommodate changing business requirements and priorities.

Other experts, however, insist that the blacklisting approach is too error-prone to be an effective strategy. Among them is independent consultant and IANS faculty member Marcus Ranum, former CSO of Tenable Network Security.

"For a number of years -- about twenty -- I've been saying that 'default permit' security is stupid," he said. "Basically, you're adopting the approach that 'everything is allowed' and then trying to identify the things that are known to be dangerous in order to block them. We've seen this approach used in virtually every area of computer security, and it has been a failure every time."

Despite the limitations of blacklisting and whitelisting, many organizations implement both strategies, taking the blacklisting approach in situations where they need more flexibility and opting for the whitelisting approach when they must lock down a particular environment, such as a kiosk or desktop used for highly sensitive work. In this way, they have the flexibility to adjust their protection strategy to meet the needs of specific situations while accommodating changing circumstances and business requirements.

Whitelisting/blacklisting vs. allowlisting/blocklisting

Awareness around diversity, equity and social justice has led the media and the tech industry to reassess common terminology, adopting more inclusive language. In the case of whitelisting/blacklisting, this has led to using allowlisting (sometimes referred to as passlisting) in place of whitelisting and blocklisting (sometimes known as disallowlisting or denylisting) in their place of blacklisting. These terms remove racial and cultural connotations while better describing the purpose of these practices and strategies.

TechTarget is responding to readers' concerns, as well as profound cultural changes, when it comes to certain commonly used but potentially linguistically biased terms. In some cases, we are defaulting to industry-standard terminology that may be seen as linguistically biased in instances where we have not found a replacement term. We are actively seeking out and giving preference to terms that properly convey meaning and intent without the potential to perpetuate negative stereotypes.

See the benefits and challenges of allowlisting vs. blocklisting.