Security Research
Showing results for 
Search instead for 
Do you mean 

Visibility into the running application - finally!

mmadou ‎09-20-2013 12:06 PM - edited ‎10-01-2013 06:43 PM

HP Protect was a really good event this year - heaps of announcements, and some interesting developments on the application security front. The keynote on secure software development by Gary McGraw was highly entertaining and the interview afterwards with HP ESP CTO Jacob West is definitely worth checking out too.

As one of the main drivers behind the project bringing real application visibility to the ArcSight platform, the announcement on HP ArcSight Application View by Fortify’s GM Mike Armistead was of particular interest for me. This solution gives you visibility into applications running in your environment. It uses the HP Fortify runtime capabilities to extract information from an application in conjunction with ArcSight ESM to make sense of the data that is coming in.


Let’s focus on the HP Fortify component that extracts information from the application for a moment. The technology used under the hood is very similar to the technology used by performance-measuring solutions. However, where these solutions use a runtime agent to measure performance, our solution uses the technology to extract security information from the application. For example, for Java, the runtime agent is a jar file which needs to be added when starting up the application server. Adding the jar file adds the runtime agent to the running Java virtual machine which inspects the application at specific points. When one of these points is executed, the runtime agent observes the execution and records information of interest for IT SOC people. That information is unified and sent through the syslog connector in CEF format to ArcSight ESM.


An example of the type of information that can be extracted from running applications is the process of user authentication to an application. From an IT SOC perspective, it’s good to know what users are logging in to an application; it’s even more interesting to know which users are failing to login, and where they are physically located. 


The reason why the runtime agent is able to essentially retrofit the application and add security logging  to the authentication framework is because our Software Security Research Group looked into standard authentication frameworks and figured out the exact points in the application (API's) where a user logs in and out of the application. With that information, the research team wrote rules to add security logging on the fly to applications that use these frameworks. So out of the box, there is support for standard authentication frameworks, but there is of course an SDK available to support any of your custom or third party authentication frameworks.


For more information, check out the datasheet here or even sign up for a 30 day trial.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all