Blacklisting & Whitelisting

Posted on October 24, 2012. Filed under: SANS Dev 541 |

Blacklisting & Whitelisting is more of a philosophical problem than data validation problem.

The advantage of whitelisting is more secure, the disadvantage is high cost to write the code and easy to over kill. In order to whitelisting, you need to know exactly what pattern your data field needs, no more no less.

The advantage of blacklisting is lower cost of writing the code, the disadvantage is less secure. In theory, blacklist can never be secure, you have to assume you know every possible malicious patterns, both now and in the future.

Practically, the sweet point is to combine whitelisting and blacklisting. You sort all possible pattern to a few types. For some type, you apply blacklist, then whitelist all; while for other type, you apply whitelist, then blacklist all.

This video is about firewall blacklisting & whitelisting strategy, but it apply to web appellation data validation also.


Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: