Managing which applications, websites, IP addresses and email addresses are in use in an organization is a security access control best practice that helps prevent the introduction of malicious code and other threats.
Two methods of application control are application allowlisting and application blocklisting. Each has its own benefits and challenges.
Note: See editor's note below for information on the terms allowlisting and blocklisting versus previously accepted use of whitelisting and blacklisting.
Take a look at the two options to decide if one or both might improve your organization's security posture.
What is application allowlisting?
Application allowlisting is a security control that permits only preapproved applications and processes to run and allows those applications to access only pre-identified files. Allowlists also manage which users and devices have permission to access a given service or application. Entities not on the list do not get access.
What is application blocklisting?
Application blocklisting takes the opposite approach. This security strategy prevents anything known to be malicious from running on endpoints or servers in a network. A blocklist also bans specific devices from gaining access to a service or application. Entities not on the blocklist are allowed access.
Benefits and challenges of application allowlisting
Application allowlisting is more restrictive than blocklisting. An application can be used only if it is explicitly indexed on an allowlist, letting administrators minimize the attack surface.
Creating and maintaining an optimal allowlist can be challenging, however. An overly permissive or simplistic allowlist with insufficient oversight expands the attack surface and introduces undue risk. On the other hand, an excessively strict or faulty allowlist could prevent users from accessing legitimate applications they need to do their jobs, hurting productivity.
Application allowlisting has direct applicability in unique or special-purpose systems where devices are specific in what they do, such as ATMs or smart meters. In this case, allowlisting permits only apps and processes relevant to a device's function to execute.
Application allowlisting has operational benefits beyond threat protection, including the following:
- Application inventory. Identifying unauthorized applications and incorrect versions of approved applications.
- File integrity. Periodically monitoring changes to application files on disk.
- Malware detection. During incident response, scanning for attributes of malicious files, such as hashes, across the entire enterprise.
Application allowlisting is often implemented following NIST Special Publication 800-167, "Guide to Application Whitelisting." The guidance lists five major attributes used to allowlist applications. To maximize the benefits of allowlisting, NIST recommends using two or more of these attributes in conjunction with each other:
- File path. This is the most general attribute that allows any application within a particular path (directory/folder) to be accessed. Under this attribute, any malicious files in an allowlisted file path would also be permitted. Used by itself, this is not a secure form of allowlisting.
- File name. Any application with a particular naming convention is allowlisted. Any executable could be infected or have its file contents replaced with malware with the same name, making this attribute insufficient by itself.
- File size. An application's file size can be an allowlist attribute. While an attacker could replace a legitimate program with a malicious program of the same size, doing so would involve significant effort. File size is generally used in combination with other attributes.
- Digital signature. A digital signature provides a unique value for an application file that is signed by the publisher and can be verified by the recipient. This verification ensures no modifications were made in transit. Allowlists must be updated when the publisher or key is changed.
- Cryptographic hash. A cryptographic hash enables the most unique, nonduplicable value derived from an application file's contents. When a file changes, such as when a patch is applied, for example, the hash would need to be recalculated with any older hashes removed from the allowlist.
Benefits and challenges of application blocklisting
Application blocklisting has been a staple of the cybersecurity arsenal for years. It is a useful tool to protect against known threats. This relatively simple approach to application control is used in antimalware, intrusion prevention and detection systems, and spam and email filtering systems.
A major challenge of blocklisting is that the list of threats to block is constantly growing and evolving. The AV-TEST Institute registers more than 450,000 new malicious programs and potentially unwanted applications every day. As it is difficult to keep up with this ever-growing list of threats, a blocklist is never complete or foolproof. Additionally, a blocklist can't account for unknown threats, leaving the organization vulnerable to zero-day attacks.
Application allowlisting or blocklisting: Which is better?
As with most things cybersecurity, the answer to which is better -- application allowlisting or blocklisting -- is: It depends on an enterprise's specific needs and use cases.
Most organizations find a combination of blocklisting -- to block known malicious applications and files -- and allowlisting -- to selectively allow applications, processes and files -- is the most pragmatic way to deal with the ever-changing security attack landscape.
Editor's note: Whitelisting/blacklisting vs. allowlisting/blocklisting
In light of increasing awareness around diversity, equity and social justice, the media and the tech industry are actively assessing common terminology to adopt more inclusive language.
Whitelisting and blacklisting have been used for decades to describe the two methods of access control now referred to as allowlisting, also sometimes known as passlisting, and blocklisting, also sometimes referred to as disallowlisting or denylisting.
The terms allowlisting and blocklisting not only remove racial and cultural connotations, but also better describe the functionality of the strategies.
TechTarget is responding to readers' concerns, as well as profound cultural changes, when it comes to certain commonly used but potentially linguistically biased terms. In some cases, we are defaulting to industry-standard terminology that may be seen as linguistically biased in instances where we have not found a replacement term. We are actively seeking out and giving preference to terms that properly convey meaning and intent without the potential to perpetuate negative stereotypes.