What is a Security Whitelist?

In April 2022 alone, there were 14.3m records breached due to 80 significant security incidents. These incidents make up a complex, shifting landscape of cyberattacks that require increasingly sophisticated defenses. While many of our methods are becoming more complex, some of our mechanisms are timeless, like the security whitelist. Also called an “allow list,” the security whitelist defines the permitted actions and blocks everything else. 

Whitelist vs. Blocklist

Security whitelists operate on a deny by default policy, where anything that hasn’t been expressly allowed will be blocked. This is different from a blocklist, where everything is permitted except for the cases that a user has specified – also known as an allow by default policy. 

Through a security lens, the whitelist offers a greater potential for security. If something is “unknown,” it is denied automatically. New processes, IP addresses, applications, or file patterns are blocked straight away, which removes a huge part of your attack surface. However, it comes at a price.

If you deny everything by default, you need to allow all of the desirable processes. This is fine if you’re working on a system with only a few allowed actions. For example, a system that has a list of permitted users. However, if you’re running a public website, placing a whitelist on all incoming traffic would mean that all users are denied access to your site. A blocklist is helpful here. Allow everyone and block people who break the rules. What you lose in security, you gain in accessibility. This trade-off, part of the C-I-A triad, is a common challenge in information security. Let’s explore how whitelists are used in production environments to secure systems and keep data secure.

Email whitelisting

If you’re using an email provider like Google or Microsoft, you already have a list of all accounts in your organization. Using this information, you can automatically maintain an effective whitelist of authorized senders and block any dangerous 3rd parties. This would catch phishing attacks before they can do any damage. If your whitelist allows anyone from @Coralogix.com and an email comes in from @Cora1ogix, your whitelist will catch that. 

Of course, the challenge is an operational one. Email providers need to be able to process emails from authorized sources, such as from inside an organization, and external sources, like 3rd parties. This is why most email providers operate on a blocklist mechanism, where any emails are processed, suspicious activity is flagged, and the relevant accounts are blocked.

IP whitelisting

IP security whitelists are much more common. There are a few instances where you want to make use of an IP whitelist:

• If you’re hosting a private service with a select group of customers, and you want to prevent network access to anyone outside of that group
• You have private services that are not and will never be customer-facing

IP whitelists are the foundation of a robust, layered security model. They are essential in securing systems that have both public-facing and internal components. However, they can become an operational nightmare if you have public-facing services only. In this instance, a blocklist makes more sense. Blocklists usually take the form of web application firewalls that will analyze traffic as it passes through and immediately detects malicious behavior.

File and application whitelisting

Large organizations will typically set up employee machines with an application whitelist. Application whitelisting means that users are permitted only to use the tools they need for their job, and nothing more. This minimizes the attack surface of malicious code because the whitelist will automatically block it, which is also a great way of avoiding fines for using unlicensed software.

This is an example of perimeter security. Focusing on ensuring new threats don’t enter at the edges of your system. It works, but if your perimeter security is too strict, you’ll prevent legitimate users from getting things done. For example, software engineers use an ever-changing selection of software tools. Without an easy way to approve new applications and permissions, strict whitelisting of applications can cause serious interruptions to legitimate work. 

More than that, in the age of remote working, “bring your own device” has become ubiquitous, with 47% of companies in the UK operating a BYOD approach during the pandemic. It is challenging to whitelist an employee’s personal computer and invites complex ethical and privacy concerns.

A middle ground is implementing a blocklist approach, such as those found in antivirus software. Antivirus software takes fingerprints (known as hashes) of malicious code and regularly scans applications and files on the host computer. If it detects these malicious code patterns, it quarantines the offending application and informs the user. While this is less secure, it does pose less risk of interrupting legitimate work.

Whitelists for input validation

Input validation is standard practice in software engineering. Attacks like the SQL injection and the Log4Shell vulnerability are caused by sufficient input validation. The Log4Shell attack takes a value that would otherwise be harmlessly printed into application logs. It turns it into a remote code execution attack, allowing a successful attacker to run any code. 

Typical approaches to validating input are using a regex check as a filter. For example, if someone sends up a string value that should be an email, a simple bit of regex like this will detect if it is valid or not: \w-]+@([\w-]+\.)+[\w-]+

This creates an effective whitelist because you’re stating upfront what is permitted, and everything else is rejected. This is a non-negotiable step in defending your APIs and front-end applications from exploitation by malicious agents.

Summary

Allow lists offer the ability to maximize your security position, but they naturally come with the operational burden of ensuring that they do not hamper legitimate use of your system. Blocklists are the complete opposite end of the spectrum and allow you to minimize the impact on your users, but the shoe is on the other foot – now you need to keep up with threats on the broader market to ensure your blocklist doesn’t allow malicious traffic. Whichever way you choose, an access control list of this kind is vital for minimizing the risk of an attack that could have crippling consequences for your business.