Whitelists are No Security Cure-all

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Last week, I described various problems being encountered by the traditional antivirus industry. The genesis of the post was a story at ZDNet that said the firm n.runs AG found more than 800 vulnerabilities in AV software. As the saying goes, with friends like these...


I cited comments from Brian Krebs of Bit9, a whitelist vendor. Whitelisting is not a new concept, but it is getting renewed attention as companies tire of assessing the safety of every piece executable code that comes their way. The idea behind whitelisting is simple. If code is deemed safe, it is put on an approved list and allowed to execute. If it is not approved, the software in some way controls what happens.


Dark Reading reports on use of whitelisting by the First National Bank of Bosque County, which serves the Waco, Texas, area. The small business was spending too much time running anti-virus checks, which were so voluminous that they were taking more than a half-hour. The company eventually settled on Sanctuary Lumension Security Device and Application Control.


It seems like an elegant approach. But, perhaps, it isn't as easy as it sounds. This interesting piece looks at what best could be called the geopolitics of whitelisting. Whitelists are huge -- Bit9's lists cumulatively contain more than 6 billion entries. There will be tremendous hurdles to extending this approach across the Internet: Will each security vendor keep its own list or there be one centralized repository? If the latter is the case, how will it be maintained and administered? The questions are general at this point, but point to the difficulty of taking a good idea from the drawing board or limited use into real life.


This post, which was written in reaction to the PC World piece, looks at the downside of whitelisting. One issue is philosophic. The switch to whitelisting suggests that security software vendors are assuming that developers are guilty until they are proven innocent. That, he says, is not fair. A more practical problem is that there are no guarantees that an updated version of a whitelisted program doesn't carry malware.


Indeed, not everyone thinks whitelisting is the answer. This long and increasingly technical Fast Horizon post looks at the phenomenon. The writer says that whitelisting seems like a good idea, except for one problem: It doesn't work. Much of the code, he says, doesn't get examined and easily could contain malware that will only become apparent when it runs.


While he says that whitelisting is a step in the right direction, the ultimate solution is systems that don't assess individual pieces of code. Instead, they assess the behavior of the program for telltale signs of undesirable activity.