Security Research
Showing results for 
Search instead for 
Do you mean 

Visibility into the running application - finally!

mmadou ‎09-20-2013 12:06 PM - edited ‎10-01-2013 06:43 PM

HP Protect was a really good event this year - heaps of announcements, and some interesting developments on the application security front. The keynote on secure software development by Gary McGraw was highly entertaining and the interview afterwards with HP ESP CTO Jacob West is definitely worth checking out too.

As one of the main drivers behind the project bringing real application visibility to the ArcSight platform, the announcement on HP ArcSight Application View by Fortify’s GM Mike Armistead was of particular interest for me. This solution gives you visibility into applications running in your environment. It uses the HP Fortify runtime capabilities to extract information from an application in conjunction with ArcSight ESM to make sense of the data that is coming in.

 

Let’s focus on the HP Fortify component that extracts information from the application for a moment. The technology used under the hood is very similar to the technology used by performance-measuring solutions. However, where these solutions use a runtime agent to measure performance, our solution uses the technology to extract security information from the application. For example, for Java, the runtime agent is a jar file which needs to be added when starting up the application server. Adding the jar file adds the runtime agent to the running Java virtual machine which inspects the application at specific points. When one of these points is executed, the runtime agent observes the execution and records information of interest for IT SOC people. That information is unified and sent through the syslog connector in CEF format to ArcSight ESM.

 

An example of the type of information that can be extracted from running applications is the process of user authentication to an application. From an IT SOC perspective, it’s good to know what users are logging in to an application; it’s even more interesting to know which users are failing to login, and where they are physically located. 

 

The reason why the runtime agent is able to essentially retrofit the application and add security logging  to the authentication framework is because our Software Security Research Group looked into standard authentication frameworks and figured out the exact points in the application (API's) where a user logs in and out of the application. With that information, the research team wrote rules to add security logging on the fly to applications that use these frameworks. So out of the box, there is support for standard authentication frameworks, but there is of course an SDK available to support any of your custom or third party authentication frameworks.

 

For more information, check out the datasheet here or even sign up for a 30 day trial.

0 Kudos
About the Author

mmadou

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all