A Network Allow-List Won't Stop Exfiltration
Summary
The article argues that domain allow-lists cannot prevent data exfiltration from sandboxed code, because secrets can be exfiltrated over allowed channels such as DNS or HTTP using encoded data. It proposes an L7 egress proxy with data-loss prevention that decodes, inspects, and blocks sensitive data, detailing the pipeline and detectors, and notes limitations and ongoing development.