Menu
I am going to be building a web app soon where I will need to have a security model such that different users have access to different parts of the application and/or different sets of data within those specific parts of the app. I am debating between the following two methods of implementing security:
White List: By default users have access to nothing and are granted access to the things they need.
or
Black List: By default users have access to everything and their access is removed from the things that they do not need.
Is there a best-practice on which method is preferred? If there is another method that would better address this problem that would be interesting to know as well.
Thanks.
413
Whitelisting takes more of a trust-centric approach and is considered to be more secure.
Whitelisting and blacklisting are two methodologies to control access to websites, email, software and IP addresses on networks. Whitelisting denies access to all resources and only the “owner” can allow access. Blacklisting allows access to all with the provision that only certain items are denied.
The best advantage to using application whitelisting is that it provides protection against ransomware attacks and other types of malware attacks. Traditional antivirus software tends to be signature-based.
Whitelisting is simple and gives the administrator/company the most control over what comes into the network or runs on the machines. The advantage of whitelisting is that nothing that is not on the list can run or get through. The disadvantage is that, well, nothing that is not on the list can run or get through.
From the classic paper "The Protection of Information in Computer Systems" (Saltzer & Schroeder 1975), which describes eight important design principles, one of which is:
Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.
139
Let us imagine you had a set of a thousand door keys that you need to give someone access to.
Would you rather go through all the keys and try to take out the ones this person absolutely does not need and give them the rest? Or would you rather just give them the keys they absolutely need and deny them the rest?
Which has the greater potential for a mistake?
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
