Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Automation

8/28/2017
12:30 PM
Craig Matsumoto
Craig Matsumoto
News Analysis-Security Now
50%
50%

VMware Offers App Security From the 'Goldilocks Zone'

Making good on a theme pitched by Martin Casado and Tom Corn, VMware launches AppDefense to put the hypervisor at the heart of application security.

LAS VEGAS -- VMworld 2017 -- Touching on the "Goldilocks Zone" concept that Martin Casado brought up in 2014, VMware is making a play for the application security market, saying the hypervisor provides the proper place to spot trouble as virtualized applications spin up.

The AppDefense service, which is being announced here today, isn't about network security -- firewalls and the like. Rather, it's about application security, monitoring the apps themselves to make sure nothing is going awry.

VMware has believed for years that it has a place in this kind of security. That was the gist of the Goldilocks Zone concept that Casado -- a figurehead of the SDN movement who joined VMware through the Nicira acquisition -- and colleague Tom Corn began presenting in 2014. They argued that the hypervisor was the proper place to host security functions.

Their logic went like this: Infrastructure-based security, such as a firewall, can't fully understand aspects of context, such as who an application's user is and where the data is intended to go. And host-based security lacks isolation; once the host CPU is breached, every application becomes an open book to the attacker, they argued. In a virtualized environment, the hypervisor knows all the context and can provide isolation.

AppDefense follows up on that idea. "You can use the unique properties of virtualization to have a completely different twist on security," said Corn, now VMware's senior vice president of security products, during a pre-VMworld press conference Sunday evening.

The service is available now for on-premises VMware installations. It's going to eventually extend into VMware environments on Amazon Web Services (AWS) as well, through the VMware Cloud on AWS service. Officials aren't giving a timeframe for that yet.

AppDefense's operations can be categorized into three steps. First, it uses VMware's vCenter management to track what applications are being spawned in the network and what they're supposed to be doing. The latter part gets discerned through provisioning and orchestration tools such as Puppet, Chef, and Ansible (or VMware's own vRealize).

It's important to tap those tools, because they provide "authoritative" information, Corn said, "allowing us to look at what was intended there before that machine was even spun up."

Second, AppDefense stores the intended state of the network, so it can compare the apps that are actually running to what's supposed to be running. Finally, it uses vSphere and NSX to take action -- shutting down a misbehaving virtual machine, for instance.

The approach is similar to whitelisting -- an approach where the network blocks any activity that isn't specifically permitted by policy. But whitelisting can be "a pretty brittle model" that can trip up as processes spawn new processes, Corn says. AppDefense goes further because of that first step -- tapping "authoritative" information from developer tools.

That process also makes AppDefense useful for getting applications teams and security operations teams aligned, Corn said.

"It's much like a doctor and a parent are working together in the care of a child, because one knows the child and the other knows maladies and remedies," he said. "We're creating a system that allows those teams to collaborate."

— Craig Matsumoto, Editor-in-Chief, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting