Which is better, white list or black list security, or both?

Question

I am going to be building a web app soon where I will need to have a security model such that different users have access to different parts of the application and/or different sets of data within those specific parts of the app. I am debating between the following two methods of implementing security:

White List: By default users have access to nothing and are granted access to the things they need.

or

Black List: By default users have access to everything and their access is removed from the things that they do not need.

Is there a best-practice on which method is preferred? If there is another method that would better address this problem that would be interesting to know as well.

Thanks.

Answer 1

White list. With blacklisting, you have to consider all the input that MIGHT be invalid. With whitelisting, you just consider what's valid.

Answer 2

Security is always built around what you call "white list". Lock them out of everything and only open up what they need.

Answer 3

Pessimistic view says whitelist, optimistic view would say blacklist. Online, I hold security in higher regard, so really if a whitelist/blacklist was required, definitely go with a whitelist.

Answer 4

In the scenario of a web application I would always use white listing. It's generally better to give a user too little power than too much.

Answer 5

Always work with a whitelist, that way, even if you have missed something you are not being vulnerable.

Answer 6

From the classic paper "The Protection of Information in Computer Systems" (Saltzer & Schroeder 1975), which describes eight important design principles, one of which is:

Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.

Answer 7

Let us imagine you had a set of a thousand door keys that you need to give someone access to.

Would you rather go through all the keys and try to take out the ones this person absolutely does not need and give them the rest? Or would you rather just give them the keys they absolutely need and deny them the rest?

Which has the greater potential for a mistake?

Answer 8

You don't know what you don't know.

There are many ways to escape user validation (using UTF-8 or other encoding, etc.), and more than one way to do cross-site scripting attacks. Are you sure you can come up with the black list that covers all possible attacks? This list could be infinite.

However, coming up with the list of what is good is much easier, and consequently much safer.