Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Automation

8/28/2017
12:30 PM
Craig Matsumoto
Craig Matsumoto
News Analysis-Security Now
50%
50%

VMware Offers App Security From the 'Goldilocks Zone'

Making good on a theme pitched by Martin Casado and Tom Corn, VMware launches AppDefense to put the hypervisor at the heart of application security.

LAS VEGAS -- VMworld 2017 -- Touching on the "Goldilocks Zone" concept that Martin Casado brought up in 2014, VMware is making a play for the application security market, saying the hypervisor provides the proper place to spot trouble as virtualized applications spin up.

The AppDefense service, which is being announced here today, isn't about network security -- firewalls and the like. Rather, it's about application security, monitoring the apps themselves to make sure nothing is going awry.

VMware has believed for years that it has a place in this kind of security. That was the gist of the Goldilocks Zone concept that Casado -- a figurehead of the SDN movement who joined VMware through the Nicira acquisition -- and colleague Tom Corn began presenting in 2014. They argued that the hypervisor was the proper place to host security functions.

Their logic went like this: Infrastructure-based security, such as a firewall, can't fully understand aspects of context, such as who an application's user is and where the data is intended to go. And host-based security lacks isolation; once the host CPU is breached, every application becomes an open book to the attacker, they argued. In a virtualized environment, the hypervisor knows all the context and can provide isolation.

AppDefense follows up on that idea. "You can use the unique properties of virtualization to have a completely different twist on security," said Corn, now VMware's senior vice president of security products, during a pre-VMworld press conference Sunday evening.

The service is available now for on-premises VMware installations. It's going to eventually extend into VMware environments on Amazon Web Services (AWS) as well, through the VMware Cloud on AWS service. Officials aren't giving a timeframe for that yet.

AppDefense's operations can be categorized into three steps. First, it uses VMware's vCenter management to track what applications are being spawned in the network and what they're supposed to be doing. The latter part gets discerned through provisioning and orchestration tools such as Puppet, Chef, and Ansible (or VMware's own vRealize).

It's important to tap those tools, because they provide "authoritative" information, Corn said, "allowing us to look at what was intended there before that machine was even spun up."

Second, AppDefense stores the intended state of the network, so it can compare the apps that are actually running to what's supposed to be running. Finally, it uses vSphere and NSX to take action -- shutting down a misbehaving virtual machine, for instance.

The approach is similar to whitelisting -- an approach where the network blocks any activity that isn't specifically permitted by policy. But whitelisting can be "a pretty brittle model" that can trip up as processes spawn new processes, Corn says. AppDefense goes further because of that first step -- tapping "authoritative" information from developer tools.

That process also makes AppDefense useful for getting applications teams and security operations teams aligned, Corn said.

"It's much like a doctor and a parent are working together in the care of a child, because one knows the child and the other knows maladies and remedies," he said. "We're creating a system that allows those teams to collaborate."

— Craig Matsumoto, Editor-in-Chief, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...