Hewlett-Packard this week announced new technology that steps outside the bounds of what has traditionally been considered in IT security. Instead of just providing security at the perimeter of a network or an endpoint, HP is now attempting to enable applications to defend themselves as a cloud-based service.
The new Application Defender platform is built on top of HP Fortify runtime technology.
Jacob West, CTO of Enterprise Security Products at HP, knows a thing or two about Fortify. West joined HP by way of the acquisition of Fortify back in 2010. “Application Defender is a cloud-managed application self-protection service,” he said. “It can monitor applications and provide visibility into attacks and gives an application the ability to defend itself by altering its behavior.”
The Application Defender system is centrally managed and monitored by way of a cloud console. Technically, the way that the new Application Defender works with the Fortify runtime is it uses debugging APIs in a virtual machine. Those APIs are tied to an application server to be able to hook into a specific running application. Application Defender then monitors individual application APIs for potentially malicious behavior or data flows.
West said that an enterprise can think of Application Defender as being a plug-in for an application server.
“As soon as the application is brought up, the local Application Defender agent communicates back to the cloud management console over a secure channel,” West explained. “That communication reports event information to the console, so users can be alerted to events.”
The Application Defender agent on the enterprise application server also enables control and configuration options to come back from the central cloud console to change behavior to mitigate attack risk.
Currently, Application Defender is focused on enterprise Java and .NET applications. West noted that the platform overall is very flexible for inspecting data flows in and out of an application. HP’s Fortify technology division also has technology that does static code analysis; however, that technology does not currently play a role in the Application Defender platform. Static analysis is often used to help in root cause analysis of a vulnerability, which is an area where Application Defender can also help.
“From a root cause analysis standpoint, because we’re monitoring the application at the individual API level and are inserted into the application runtime, we can report the event with the full data flow,” West said. “So when an event goes back to the cloud console, the monitoring can get full root cause details.”
A common attack against applications is a SQL injection attack, which is something that Application Defender can also help to mitigate.
West said that there are multiple ways that Application Defender can identify a SQL injection attack. One is by looking at input to an application, since Application Defender is monitoring all data flows to the application. The other way that a SQL injection attack could be detected is by monitoring the data flowing out of an application, at the point where a SQL query is made to an external database.
“So we’re able to monitor queries as they are being built up and at the last point before they are sent across the wire to the database server,” West said. “So we can potentially identify malicious strings and then be able to change the application’s behavior before it passes the attack on to the database server.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.