Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Automation

8/28/2017
12:30 PM
Craig Matsumoto
Craig Matsumoto
News Analysis-Security Now
50%
50%

VMware Offers App Security From the 'Goldilocks Zone'

Making good on a theme pitched by Martin Casado and Tom Corn, VMware launches AppDefense to put the hypervisor at the heart of application security.

LAS VEGAS -- VMworld 2017 -- Touching on the "Goldilocks Zone" concept that Martin Casado brought up in 2014, VMware is making a play for the application security market, saying the hypervisor provides the proper place to spot trouble as virtualized applications spin up.

The AppDefense service, which is being announced here today, isn't about network security -- firewalls and the like. Rather, it's about application security, monitoring the apps themselves to make sure nothing is going awry.

VMware has believed for years that it has a place in this kind of security. That was the gist of the Goldilocks Zone concept that Casado -- a figurehead of the SDN movement who joined VMware through the Nicira acquisition -- and colleague Tom Corn began presenting in 2014. They argued that the hypervisor was the proper place to host security functions.

Their logic went like this: Infrastructure-based security, such as a firewall, can't fully understand aspects of context, such as who an application's user is and where the data is intended to go. And host-based security lacks isolation; once the host CPU is breached, every application becomes an open book to the attacker, they argued. In a virtualized environment, the hypervisor knows all the context and can provide isolation.

AppDefense follows up on that idea. "You can use the unique properties of virtualization to have a completely different twist on security," said Corn, now VMware's senior vice president of security products, during a pre-VMworld press conference Sunday evening.

The service is available now for on-premises VMware installations. It's going to eventually extend into VMware environments on Amazon Web Services (AWS) as well, through the VMware Cloud on AWS service. Officials aren't giving a timeframe for that yet.

AppDefense's operations can be categorized into three steps. First, it uses VMware's vCenter management to track what applications are being spawned in the network and what they're supposed to be doing. The latter part gets discerned through provisioning and orchestration tools such as Puppet, Chef, and Ansible (or VMware's own vRealize).

It's important to tap those tools, because they provide "authoritative" information, Corn said, "allowing us to look at what was intended there before that machine was even spun up."

Second, AppDefense stores the intended state of the network, so it can compare the apps that are actually running to what's supposed to be running. Finally, it uses vSphere and NSX to take action -- shutting down a misbehaving virtual machine, for instance.

The approach is similar to whitelisting -- an approach where the network blocks any activity that isn't specifically permitted by policy. But whitelisting can be "a pretty brittle model" that can trip up as processes spawn new processes, Corn says. AppDefense goes further because of that first step -- tapping "authoritative" information from developer tools.

That process also makes AppDefense useful for getting applications teams and security operations teams aligned, Corn said.

"It's much like a doctor and a parent are working together in the care of a child, because one knows the child and the other knows maladies and remedies," he said. "We're creating a system that allows those teams to collaborate."

— Craig Matsumoto, Editor-in-Chief, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).