VMware Offers App Security From the Goldilocks Zone

Making good on a theme pitched by Martin Casado and Tom Corn, VMware launches AppDefense to put the hypervisor at the heart of application security.

LAS VEGAS -- VMworld 2017 -- Touching on the Goldilocks Zone concept that Martin Casado brought up in 2014, VMware is making a play for the application security market, saying the hypervisor provides the proper place to spot trouble as virtualized applications spin up.
The AppDefense service, which is being announced here today, isnt about
network
security -- firewalls and the like. Rather, its about application security, monitoring the apps themselves to make sure nothing is going awry.
VMware has believed for years that it has a place in this kind of security. That was the gist of the
Goldilocks Zone
concept that Casado -- a figurehead of the SDN movement who joined VMware through the Nicira acquisition -- and colleague Tom Corn began presenting in 2014. They argued that the hypervisor was the proper place to host security functions.
Their logic went like this: Infrastructure-based security, such as a firewall, cant fully understand aspects of context, such as who an applications user is and where the data is intended to go. And host-based security lacks isolation; once the host CPU is breached, every application becomes an open book to the attacker, they argued. In a virtualized environment, the hypervisor knows all the context and can provide isolation.
AppDefense follows up on that idea. You can use the unique properties of virtualization to have a completely different twist on security, said Corn, now VMwares senior vice president of security products, during a pre-VMworld press conference Sunday evening.
The service is available now for on-premises VMware installations. Its going to eventually extend into VMware environments on Amazon Web Services (AWS) as well, through the VMware Cloud on AWS service. Officials arent giving a timeframe for that yet.
AppDefenses operations can be categorized into three steps. First, it uses VMwares vCenter management to track what applications are being spawned in the network and what theyre supposed to be doing. The latter part gets discerned through provisioning and orchestration tools such as Puppet, Chef, and Ansible (or VMwares own vRealize).
Its important to tap those tools, because they provide authoritative information, Corn said, allowing us to look at what was intended there before that machine was even spun up.
Second, AppDefense stores the intended state of the network, so it can compare the apps that are actually running to whats
supposed
to be running. Finally, it uses vSphere and NSX to take action -- shutting down a misbehaving virtual machine, for instance.
The approach is similar to whitelisting -- an approach where the network blocks any activity that isnt specifically permitted by policy. But whitelisting can be a pretty brittle model that can trip up as processes spawn new processes, Corn says. AppDefense goes further because of that first step -- tapping authoritative information from developer tools.
That process also makes AppDefense useful for getting applications teams and security operations teams aligned, Corn said.
Its much like a doctor and a parent are working together in the care of a child, because one knows the child and the other knows maladies and remedies, he said. Were creating a system that allows those teams to collaborate.
— Craig Matsumoto, Editor-in-Chief,
Light Reading

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
VMware Offers App Security From the Goldilocks Zone