Application allowlisting where feasible
Demonstrate that application allowlisting is deployed where technically feasible, configured to enforce execution restrictions, and maintained with documented approval processes for updates.
Description
What this control does
Application allowlisting (also known as application whitelisting) restricts execution of code to a pre-approved list of applications, scripts, libraries, and executables. Rather than relying solely on blocklists of known malware, this control inverts the security model by denying execution of anything not explicitly approved. Allowlisting is particularly effective on endpoints, servers with stable workloads, and critical operational technology systems where application requirements are well-defined and change infrequently. This control significantly reduces the attack surface by preventing unauthorized code execution, including zero-day exploits and fileless malware.
Control objective
What auditing this proves
Demonstrate that application allowlisting is deployed where technically feasible, configured to enforce execution restrictions, and maintained with documented approval processes for updates.
Associated risks
Risks this control addresses
- Execution of malware, ransomware, or other malicious executables that evade signature-based detection
- Zero-day exploit execution through vulnerabilities in non-approved applications or scripts
- Unauthorized software installation by users or attackers with limited privileges
- Fileless malware or living-off-the-land (LOtL) attacks using unapproved scripts or system utilities
- Lateral movement through execution of attacker-uploaded tools and utilities
- Insider threats deploying unauthorized data exfiltration tools or system manipulation utilities
- Shadow IT proliferation introducing unvetted, vulnerable, or unlicensed software into the environment
Testing procedure
How an auditor verifies this control
- Inventory all endpoints, servers, and systems within scope to identify assets where application allowlisting has been evaluated for feasibility.
- Obtain and review the organization's application allowlisting policy, including criteria used to determine where allowlisting is feasible versus impractical.
- Select a representative sample of systems designated for allowlisting across different operating systems, business units, and criticality tiers.
- Extract allowlist configurations from each sampled system (e.g., Windows AppLocker policies, WDAC policies, Linux AppArmor/SELinux profiles, macOS Gatekeeper settings).
- Verify that allowlist policies are configured in enforcement mode rather than audit-only mode, and review any documented exceptions.
- Test enforcement by attempting to execute an unapproved test application or script on sampled systems and confirming execution is blocked and logged.
- Review change management records for recent allowlist updates to validate that additions follow documented approval workflows and security assessments.
- Examine centralized logs or SIEM records for blocked execution attempts over the past 90 days to assess policy effectiveness and identify potential gaps or bypass attempts.
Where this control is tested