Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Automation

8/28/2017
12:30 PM
Craig Matsumoto
Craig Matsumoto
News Analysis-Security Now
50%
50%

VMware Offers App Security From the 'Goldilocks Zone'

Making good on a theme pitched by Martin Casado and Tom Corn, VMware launches AppDefense to put the hypervisor at the heart of application security.

LAS VEGAS -- VMworld 2017 -- Touching on the "Goldilocks Zone" concept that Martin Casado brought up in 2014, VMware is making a play for the application security market, saying the hypervisor provides the proper place to spot trouble as virtualized applications spin up.

The AppDefense service, which is being announced here today, isn't about network security -- firewalls and the like. Rather, it's about application security, monitoring the apps themselves to make sure nothing is going awry.

VMware has believed for years that it has a place in this kind of security. That was the gist of the Goldilocks Zone concept that Casado -- a figurehead of the SDN movement who joined VMware through the Nicira acquisition -- and colleague Tom Corn began presenting in 2014. They argued that the hypervisor was the proper place to host security functions.

Their logic went like this: Infrastructure-based security, such as a firewall, can't fully understand aspects of context, such as who an application's user is and where the data is intended to go. And host-based security lacks isolation; once the host CPU is breached, every application becomes an open book to the attacker, they argued. In a virtualized environment, the hypervisor knows all the context and can provide isolation.

AppDefense follows up on that idea. "You can use the unique properties of virtualization to have a completely different twist on security," said Corn, now VMware's senior vice president of security products, during a pre-VMworld press conference Sunday evening.

The service is available now for on-premises VMware installations. It's going to eventually extend into VMware environments on Amazon Web Services (AWS) as well, through the VMware Cloud on AWS service. Officials aren't giving a timeframe for that yet.

AppDefense's operations can be categorized into three steps. First, it uses VMware's vCenter management to track what applications are being spawned in the network and what they're supposed to be doing. The latter part gets discerned through provisioning and orchestration tools such as Puppet, Chef, and Ansible (or VMware's own vRealize).

It's important to tap those tools, because they provide "authoritative" information, Corn said, "allowing us to look at what was intended there before that machine was even spun up."

Second, AppDefense stores the intended state of the network, so it can compare the apps that are actually running to what's supposed to be running. Finally, it uses vSphere and NSX to take action -- shutting down a misbehaving virtual machine, for instance.

The approach is similar to whitelisting -- an approach where the network blocks any activity that isn't specifically permitted by policy. But whitelisting can be "a pretty brittle model" that can trip up as processes spawn new processes, Corn says. AppDefense goes further because of that first step -- tapping "authoritative" information from developer tools.

That process also makes AppDefense useful for getting applications teams and security operations teams aligned, Corn said.

"It's much like a doctor and a parent are working together in the care of a child, because one knows the child and the other knows maladies and remedies," he said. "We're creating a system that allows those teams to collaborate."

— Craig Matsumoto, Editor-in-Chief, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40865
PUBLISHED: 2021-10-25
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x use...
CVE-2021-25977
PUBLISHED: 2021-10-25
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution.
CVE-2021-35231
PUBLISHED: 2021-10-25
As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path: "Computer\HKEY_LOCAL_MACHIN...
CVE-2021-38294
PUBLISHED: 2021-10-25
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
CVE-2021-40526
PUBLISHED: 2021-10-25
Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead t...