Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A default-deny security model that permits only explicitly approved apps, files, or connections. Stronger than blacklisting against unknown and zero-day threats.
Whitelisting Definition: A default-deny security model that permits only explicitly approved apps, files, or connections. Stronger than blacklisting against unknown and zero-day threats.
Whitelisting, also called allowlisting, is a security model that denies everything by default and permits only explicitly approved applications, files, processes, or network entities to run or connect. It is the inverse of blacklisting: rather than trying to block known-bad items, it blocks all but the known-good, providing strong protection against unknown and zero-day threats.
It is enforced through application control and software restriction technologies such as Windows AppLocker and Windows Defender Application Control, plus firewall and email rules for network and address allowlists. Approved items are identified by cryptographic hash, digital signature (trusted publisher), or file path, and any item not on the list is prevented from executing. NIST SP 800-167 provides guidance on application whitelisting, and the CIS Controls recommend it for high-risk environments.
For security, whitelisting dramatically shrinks the attack surface because malware, unauthorized tools, and untested code simply cannot run if they are not approved, even if traditional signature-based antivirus has never seen them. This makes it especially valuable for fixed-function and operational-technology systems whose software set rarely changes. The trade-off is operational overhead: the allowlist must be carefully maintained, and a poorly managed change-control process can block legitimate updates or tempt administrators to loosen rules.
For example, a critical-infrastructure operator deploys application whitelisting on its industrial control workstations. Only specifically approved executables can run, verified by hash so a tampered binary is rejected; publisher-based rules allow patches only from trusted vendors; a formal change process governs additions to the list; and monitoring alerts on every blocked execution attempt. When an attacker delivers a novel malware dropper via a phishing email, it fails to execute because it is not on the allowlist, and the blocked-execution alert tips off defenders to the intrusion attempt.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →