Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabilities but also those that are deemed inappropriate within a given organization. Blacklisting is the method used by most antivirus programs, intrusion prevention/detection systems and spam filters.
Blacklisting works by maintaining a list of applications that are to be denied system access and preventing them from installing or running. However, because the number, variety and complexity of threats are constantly increasing, a blacklist can never be comprehensive -- and as a result is limited in its effectiveness.
The opposite approach to blacklisting is application whitelisting. In the whitelisting approach, a simple list of authorized applications is maintained. When an application tries to execute, it is automatically checked against the list. If it’s not on the list, it is not permitted to run.
Some security experts argue that, although whitelisting is a more thorough solution to the problem, it is not practical because of the administrative resources required to create and maintain an effective whitelist. Other experts, however, insist that the blacklisting approach is simply too error-prone to be acceptable.
Marcus Ranum, CSO of Tenable Network Security, explains the folly of blacklisting:
“For a number of years - about twenty - I've been saying that ‘default permit’ security is stupid. Basically, you're adopting the approach that ‘everything is allowed’ and then trying to identify the things that are known to be dangerous, in order to block them. We've seen this approach used in virtually every area of computer security, and it has been a failure every time.”