At last, after ignoring whitelisting for years – to the general detriment of PC users everywhere and to the ultimate benefit of cyber criminals – finally the concept of whitelisting has broken through at this year’s RSA conference.

Twice, by the way, my offer to present “the concept of whitelisting and why it will ultimately dominate IT security” at a session in the RSA conference was turned down. They didn’t want to know. (Mustn’t disturb the interests of the entrenched AV vendors whose products don’t work).

The move to whitelisting has now become a mad dash. Last year, the largest and most influential AV vendor (Symantec) signaled its intention to move to whitelisting and started to bury the word “Anti-Virus” in favor of “endpoint security”. CA had already made the move (to its credit, it was the first to break ranks). Kaspersky moved later in the year.

At this year’s RSA conference the writing is actually on the wall – and it was also in the opening address by John Thompson of Symantec. Here are some quotes from the conference, extracted from various industry sources.

Thompson called for additional investments in identity management and whitelisting technologies in attempt to better manage user behavior and data. (SearchSecurity.com)

Thompson said that now was the time for corporations to rethink their approach to security. “If growth of malicious software continues to grow at its current rate then techniques like white listing will become much more critical” he said. (SCMagazine)

Ben Greenbaum, a senior research manager with Symantec’s security response teamGreenbaum called 2007′s tsunami of threats a “tipping point,” and said that it is clear that security vendors — and their users — will soon need to switch to “whitelisting” legitimate code rather than “blacklisting” threats, as is now the practice. (Computer World)

A whitelist approach was first suggested by Murphy when Symantec released its previous report. The idea is that it is now easier to keep track of all benevolent computer programs instead of tracking the hundreds of thousands of malware applications. (ITBusiness.ca)

It’s pretty much the beginning of the end for AV. It’s over.

What John Thompson also pointed out is something that has concerned me for a long time. Whitelisting on its own is not enough. Currently there are only a few vendors trying to create a genuine security platform (CA, CoreTrace, Symantec) and that’s what’s really required. Whitelisting is software authentication and it kicks AV into a cocked hat, but there’s also the growing problem of data privacy. This is not a solved problem and whitelisting doesn’t solve it. For that, a more comprehensive security platform is needed.

I will have more to say about this in time.