I’ve just recently been introduced to the concept of Accept Known Good, where instead of rejecting badly formed input, a whitelist of acceptable inputs is used to validate against. I understand the basics, love the idea, but I am curious as to what the consensus is in regards to AKG ruling out every potential attack? Is that what it does essentially, or does it still leave you susceptible to various attacks and if so, which ones? I’m not a security person, which is why I ask. Hope someone with more insight can elaborate.
Most people start by accepting everything and then blacklist the things they know are wrong. That’s the easy route. It leaves you open to all the things you don’t know about. For example, if you install a web app, you may blacklist the requests for known vulnerabilities. However, you have to keep that blacklist updated as new vulnerabilities become public.
If you reverse it, and start by blacklisting everything, it gets a bit easier. If you have that same web app and only whitelist requests that meet your expectations, you don’t have to worry about blacklisting vulnerabilities that are requested.
The same goes for any component of any application that accepts any kind of input.
The caveat here is that there’s no way this can protect you from an attack that’s achieved via well-formed input. So it’s not foolproof.
I work for a medium-sized financial service company, regulated out the rear, and we take the whitelist approach. We whitelist at the firewall level, at the web server level, at the DMZ level, at the database level, at the application level, right down to the method/function/parameter level. Nothing gets through any level of our infrastructure unless it’s specifically allowed through.
Bottom line, if you do it properly it can protect you from attacks that emanate from malformed (intentional or otherwise) requests. However, there are many other avenues of attack that can be exploited.