My previous post on whitelisting has generated a lot of comments. Buried in the comment stream, I made this statement:
I look forward to the time (hopefully soon) when an industry consortium or worldwide standards effort brings together legitimate ISVs to create a shareable whitelist for all to use.
Whitelisting is foundational to any information security protection strategy. It is key to one of my areas of research on Application Control. At the application level, the problem I see is that there are multiple, overlapping efforts to build a industry-wide database of “known good” applications.
- Bit9 is an Application Control vendor that has built a significant repository with its Global Software Registry.
- SignaCert is a whitelisting vendor primarily used for configuration and drift management that has built its Global Trust Repository.
- The US government’s National Institute of Standards and Technology has created its National Software Reference Library
- The US National Drug Intelligence center within the US Department of Justice has created HashKeeper to assist in forensics investigations (by enabling investigators to eliminate known good application and system files or to focus quickly on files/content known to be bad)
If anyone knows of more, please add them as a comment. The point is, this is a problem the software industry can help solve. Why do we need multiple, competing efforts to build this database? Why don’t legitimate ISVs get together and agree on a standard so that ISV-level data can be gathered directly from authors and shared as a public service? A standards group like the TCG could help define the application metadata exchange format with broad industry support.
Seems like a no-brainer to me.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.