Visibility into the running application - finally!

HP Protect was a really good event this year - heaps of announcements, and some interesting developments on the application security front. The keynote on secure software development by Gary McGraw was highly entertaining and the interview afterwards with HP ESP CTO Jacob West is definitely worth checking out too.

As one of the main drivers behind the project bringing real application visibility to the ArcSight platform, the announcement on HP ArcSight Application View by Fortify’s GM Mike Armistead was of particular interest for me. This solution gives you visibility into applications running in your environment. It uses the HP Fortify runtime capabilities to extract information from an application in conjunction with ArcSight ESM to make sense of the data that is coming in.

 

Let’s focus on the HP Fortify component that extracts information from the application for a moment. The technology used under the hood is very similar to the technology used by performance-measuring solutions. However, where these solutions use a runtime agent to measure performance, our solution uses the technology to extract security information from the application. For example, for Java, the runtime agent is a jar file which needs to be added when starting up the application server. Adding the jar file adds the runtime agent to the running Java virtual machine which inspects the application at specific points. When one of these points is executed, the runtime agent observes the execution and records information of interest for IT SOC people. That information is unified and sent through the syslog connector in CEF format to ArcSight ESM.

 

An example of the type of information that can be extracted from running applications is the process of user authentication to an application. From an IT SOC perspective, it’s good to know what users are logging in to an application; it’s even more interesting to know which users are failing to login, and where they are physically located. 

 

The reason why the runtime agent is able to essentially retrofit the application and add security logging  to the authentication framework is because our Software Security Research Group looked into standard authentication frameworks and figured out the exact points in the application (API's) where a user logs in and out of the application. With that information, the research team wrote rules to add security logging on the fly to applications that use these frameworks. So out of the box, there is support for standard authentication frameworks, but there is of course an SDK available to support any of your custom or third party authentication frameworks.

 

For more information, check out the datasheet here or even sign up for a 30 day trial.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation