Let me summarize my security no-brainers to date:
The second was in reference to the use of whitelisting in the hypervisor/VMM (especially the “parent” or Dom0 partition) layer to prevent the execution of unauthorized code in this security-sensitive layer.
As I continue to research application control / application whitelisting technologies, one of the ways to help with the automation and update of the whitelist of allowed applications a user can execute is to define a higher-level policy such as “let any application that has been digitally signed by Microsoft run”. Many of the application control vendors I cover support this capability. So in essence, we whitelist the vendors whose code we want to allow to run rather than whitelist application by application.
But what about code that is signed by a vendor that we haven’t seen before? Of course, bad guys can obtain a certificate from legitimate CAs and digitally sign their code (and they can use company names that sound quite legitimate). So why not set a higher bar for ISVs to obtain certificates just like we’ve done on the Web with Extended Validation SSL Certificates (EV-Certs). I’m no pollyanna. EV-Certs don’t solve every problem on the Web and they certainly won’t solve every problem for application control (e.g. they don’t say anything about the quality of the website or of the code) — but it would be a step forward.
Some organizations with more permissive policies might set a policy that says “let any application digitally signed with an EV-Cert run”. Others will be more restrictive. If an organization runs into an unknown application written by an unknown vendor, the fact that the application was signed by an ISV using an EV-Cert would be just one more factor in an overall assessment in the trustability of the the application.
The benefits go beyond application control. For example, on 64 bit Windows, Microsoft requires the use of digitally signed device drivers as an extra precaution against malicious drivers. An extra level of confidence in the source of the drivers using EV-Certs would help here as well.