Application whitelisting - definition & overview

Application whitelisting (also known as application allowlisting) is a common method used by IT organizations to secure on-premise and cloud-based networks and infrastructure against malicious cyber attacks and unwanted network penetration. To implement application whitelisting, the IT organization may use technologies that are built into the host operating system or leverage the capabilities of a more sophisticated security tool. In either case, the organization creates a list of applications that are given special access to the network.

A large number of big tech players, including Google, Microsoft, and Apple are moving away from whitelisting and blacklisting. In 2019, shortly after Microsoft adopted Google's Chromium browser engine for Edge, a Microsoft contributor raised a bug report to "clean up potentially offensive terms in the codebase."

The terms whitelist and blacklist reinforce racial biases that equate white with 'good, permitted, safe' and black with 'bad, dangerous, forbidden.' Instead, more and more organizations are switching to more inclusive, neutral language - 'allow list' and 'deny' or 'block list' in place of 'whitelist' and 'blacklist.'

Allow and deny/block are much less ambiguous terms that help non-engineer audiences more easily understand their company's security policies. Application whitelisting may be used to grant access to a specific service, or it may be required for the application to run at all. Application whitelisting is most commonly used to permit some applications to run or execute on the network while restricting or blocking others that are not present on the whitelist, or allowlist.

Application whitelisting begins with the process of defining which applications will be permitted to run on the network. Application whitelists are dynamic, not static, meaning that they can change over time and applications can be added or removed as needed. The list may include libraries, configuration files and other executable programs that are allowed to be executed on the network.

IT organizations may take advantage of an application whitelisting feature that is built into the host operating system, or they may purchase or license a third-party software solution with application whitelisting. These solutions may be known as whitelisting programs, application whitelisting technologies, or application control programs. There are also endpoint security software tools like McAfee that offer application whitelisting as a feature.

The core benefit of application whitelisting tools is that they prevent the unauthorized installation or execution of any application that is not specifically authorized for deployment on a particular network endpoint.

There are four basic steps for implementing application whitelisting on your IT infrastructure:

1. Baseline - The first step to application whitelisting is to establish a baseline for what applications will be allowed to run on the network. This can be done by scanning a clean system's storage drives to detect applications and processes that are necessary for the business and distinguishing them from those that could be harmful or that are not seen as necessary.
2. Initial whitelisting - Applications that are known to be safe can be added to the application whitelist.
3. Changes and modifications - If your organization purchases licenses for a new software application, you will need to add the application and its executable files to your white list before you can run it. Applications can be added, removed or modified within the application whitelist at any point.
4. Enforcement - Once the application whitelisting software is active on your network, any application that wants to run will first be compared against the list of approved applications. An application will only be allowed to run if its name appears on the list.

Application whitelisting technologies use different kinds of information to identify whether an application belongs to the list. These can include application file attributes, digital signatures and cryptographic hashes that are used to identify applications that match those in the whitelist.

To effectively block unwanted applications from running on the network while permitting the appropriate ones, application whitelisting technologies must be able to accurately identify whether an application that wants to execute is actually on the whitelist. This is where the real magic of application whitelisting happens.

Imagine a cyber attacker who replicates a common enterprise application but inserts a small piece of malicious code that does something sinister. An application whitelisting tool must be able to distinguish effectively between the version of the application that is permitted and the altered version that is unsafe. There are several mechanisms through which this can take place, so we'll list them below in general order by how effective they are.

File name

Application whitelisting technologies can check the filename attribute to determine whether the program has the same name as an application on the whitelist. The problem with using the file name attribute on its own is that an attacker could easily write a malicious piece of code and name it "Microsoft Windows.exe". Additionally, a permitted application that is infected or otherwise compromised would keep the same file name and might be allowed to run on the network. The filename should be combined with other attributes to help determine whether an application is permitted to run.

File size

Changing the contents of an application, including inserting malicious code into the application, typically changes the file size. Using file size as an indicator of application safety may protect against some unsophisticated attacks, but cyber attackers can still craft malicious files that are the same size as the application they are trying to imitate.

File path

An application whitelisting software can be configured to allow applications from a specific directory or with a certain file path to execute on the network. This method on its own would allow a malicious file to execute if it was placed in the right directory, although network administrators can prevent this by further restricting access to the directory such that only authorized administrators can modify its contents.

Digital signature/publisher

A digital signature uses cryptographic math to verify the authenticity of digital messages, files or applications. A valid digital signature verifies that the file was transmitted from a known and trusted sender and that the application has not been tampered with. Software publishers use digital signatures to enable end-users to verify the authenticity and integrity of their products.

Cryptographic hash

A cryptographic hash is a hash function that returns a fixed string of bytes based on an input message. Cryptographic hashes may also be known as checksums, digital fingerprints or hash values. An application file will generate the same cryptographic hash when applied to the same hash function as long as the application remains unchanged. Organizations can use a hash function to generate a hash value for an application, which can later be used to verify that the application is unchanged and still safe to use.

Application whitelisting can prevent malicious code or unauthorized applications from being executed on your network, but it can also generate false positives, blocking applications that should really be authorized to run. While application whitelisting is a valid means of restricting network access to authorized individuals, IT security teams still need additional tools to effectively monitor cloud computing environments.

Sumo Logic empowers IT security teams with advanced data analytics, helping to streamline their investigations of cyber attacks that are repelled by application whitelisting software. With Sumo Logic, security analysts can investigate how a malicious attacker accessed the network, determine what systems were affected, and take the necessary steps to eliminate security vulnerabilities and restore functionality.