The logic of whitelisting is inescapable: Instead of trying -- often in vain -- to identify and deny entry to the many bad apples out there, why not simply bar the door to everyone except those who have proven that they deserve admittance? This CNET piece, which quotes a depressing Symantec figure that 65 percent of applications released to the public are malicious, focuses on Bit9, a whitelist vendor. The company's president and CEO predicts that within four years, every PC will have a whitelist, and even security guru Bruce Schneier is quoted (via e-mail) as saying this is a good approach. The story rightly points out that a big challenge will be managing the wide variety of whitelists simultaneously kept within a corporation.
This SC Magazine commentary, begins, as most concerning whitelisting do, by pointing out how dangerous the Internet is. The writer describes viruses that automatically mutate and are distributed in drive-by fashion through malicious Web sites. Whitelisting, which the writer classifies as a form of reputation-based security, is effective but cumbersome and expensive, he says. The closest thing to an Internet cure is a form of whitelisting that is more fluid and feasible for widespread use.
The basic difference between whitelisting and blacklisting is conceptually simple. This Redeff story goes a bit beyond the obvious to make the point that blacklists are passive while whitelists are proactive. Another important difference is that blacklists take control out of the user's hands, since they rely on third-party security firms to create and distribute signatures. Whitelists, on the other hand, essentially are in-house affairs in which all sites that pass muster are put on an approved list kept by the user or IT.
But blacklisting still will play a role. This Computerworld story makes the case for whitelisting, while arguing that blacklisting is anything but dead. Indeed, the writer says many companies selling whitelist software incorporate signature-based techniques characteristic of blacklisting. In the final analysis, the two approaches to security -- and others as well -- will coexist.
Besides the technology involved, it seems silly to think that antivirus companies with significant market share and plenty of money for research and development will simply let upstarts come and take their business away. It is more likely that the two approaches will coalesce -- and there is evidence that this is happening. Roger Grimes, a security analyst and blogger for InfoWorld, offers some ideas on how whitelisting can be more fully incorporated into the existing security landscape in this post.
Whitelisting certainly is not a new concept. The avalanche of viruses and malware, along with the social engineering that make them more dangerous, clearly means it's an idea whose time has come -- again.