Allowlisting vs. blocklisting: Benefits and challenges

What is application allowlisting?

Application allowlisting is a security control that only allows preapproved applications and processes to run and allows only pre-identified files to be accessed by those applications. Allowlists also confirm who and which devices can access a service or application. Entities not on the list are not given access.

What is application blocklisting?

Application blocklisting takes the opposite approach. In this security strategy, everything known to be malicious is not authorized to run on endpoints or servers in a network. A blocklist also confirms who and what devices are not allowed to access a service or application. Entities not on the blocklist are allowed access.

Benefits and challenges of application allowlisting

Application allowlisting is more restrictive than blocklisting. Unless the application is explicitly indexed on an allowlist, it cannot be used.

Application allowlisting has direct applicability in unique or special-purpose systems where devices are specific in what they do, such as ATMs or smart meters. Allowlisting permits only apps and processes relevant to the device's function to execute.

Application allowlisting is often implemented following NIST Special Publication 800-167, "Guide to Application Whitelisting." The guidance lists five major attributes used to allowlist applications:

1. File path. This is the most general attribute that allows any application within a particular path (directory/folder) to be accessed. Under this attribute, any malicious files in an allowlisted file path would also be permitted. Used by itself, this is not a secure form of allowlisting.
2. File name. Any application with a particular naming convention would be allowlisted. Any executable could be infected or have its file contents replaced with malware with the same name, making this attribute insufficient by itself.
3. File size. An application's file size can be an allowlist attribute. While a malicious program replacing a legitimate program could still be the same size, it involves more effort on the attacker's part than the first two attributes. File size is generally used in combination with other attributes.
4. Digital signature. A digital signature provides a unique value for an application file that is signed by the publisher and can be verified by the recipient. This verification ensures no modifications were made in transit. Allowlists must be updated when the publisher or key is changed.
5. Cryptographic hash. A cryptographic hash enables the most unique, nonduplicable value derived from an application file's contents. When a file changes, such as when a patch is applied, for example, the hash would need to be recalculated, with any older hashes removed from the allowlist.

NIST recommends using two or more of these attributes in conjunction with each other to make allowlisting more effective.

Application allowlisting has operational benefits beyond threat protection, including the following:

• application inventory to identify unauthorized applications and incorrect versions of approved applications;
• file integrity for periodic monitoring of changes to application files on disk;
• in incident response, used to scan for attributes of malicious files, such as hashes, across the entire enterprise.

Benefits and challenges of application blocklisting

Application blocklisting has been a staple of the cybersecurity arsenal for years. It is a useful tool to protect against known threats. This relatively simple approach to application control is used in antimalware, intrusion prevention and detection systems, and spam and email filtering systems.

A major challenge of blocklisting is that the list of threats to block is constantly growing and evolving. The AV-TEST Institute registers more than 450,000 new malicious programs and potentially unwanted applications every day. Keeping up with this ever-growing list of threats is never complete or foolproof.

Application allowlisting or blocklisting: Which is better?

As with most things cybersecurity, the answer to which is better -- application allowlisting or blocklisting -- is: It depends.

Most organizations find that a combination of blocklisting -- to block known malicious applications and files -- and allowlisting -- to selectively allow applications, processes and files -- is the most pragmatic approach to deal with the ever-changing security attack landscape.

Editor's note: Whitelisting/blacklisting vs. allowlisting/blocklisting

In light of increasing awareness around diversity, equity and social justice, the media and the tech industry are actively assessing common terminology to adopt more inclusive language.

Whitelisting and blacklisting have been used for decades to describe the two methods of access control now referred to as allowlisting, also sometimes known as passlisting, and blocklisting, also sometimes referred to as disallowlisting or denylisting.

The terms allowlisting and blocklisting not only remove racial and cultural connotations, but also better describe the functionality of the strategies.

TechTarget is responding to readers' concerns, as well as profound cultural changes, when it comes to certain commonly used but potentially linguistically biased terms. In some cases, we are defaulting to industry-standard terminology that may be seen as linguistically biased in instances where we have not found a replacement term. We are actively seeking out and giving preference to terms that properly convey meaning and intent without the potential to perpetuate negative stereotypes.