The use of virtualization promises to make it easier to test Web applications already in production for security vulnerabilities, according to Cenzic Inc. The company this week announced Cenzic Hailstorm Enterprise Application Risk Controller (ARC) 5.5, which features integration with VMware Lab Manager and VMware Virtual Center, server virtualization products from VMware Inc.
"Application security is being driven by QA and development people, but all production applications out there are susceptible," said John Weinschenk, president and CEO of Santa Clara, Calif.-based Cenzic. The technical challenges of testing these applications once in production include corrupting the data associated with an application and taking an application down, he said.
By integrating with virtualization technology, Cenzic customers will be able to continuously test production applications in a virtual or "staging" environment without the risk of compromising the environment, according to Cenzic.
"A major concern when assessing production applications is whether an automated scan is going to knock the system offline," said Michael Montecillo, an analyst at Enterprise Management Associates. "With what Cenzic is doing, it really means that security teams will be more capable of aggressively assessing systems. It reduces the risk of having vulnerabilities, and it also reduces the risk of having your system go down by doing it in VMware."
Testing production and pre-production applications
Weinschenk said the VMware integration will allow the testing of both production and pre-production Web applications in a virtualized environment, enabling application security throughout the software development lifecycle, from development to QA to operations.
VMware Lab Manager automates the setup, capture, storage and sharing of multi-machine software configurations. VirtualCenter enables the rapid provision of virtual machines and monitors the performance of physical servers and virtual machines. The integration provides the ability to deploy a virtualized application, test it, and then un-deploy it. Organizations can test a snapshot of a production application or continuously test the last production copy on a virtual machine for new vulnerabilities, according to Cenzic.
"Think of it like backup software," Weinschenk said. It enables you to point to a virtualized environment, get a real-time snapshot [of the application] and put it into a location to do testing. You can test and populate in the ARC dashboard. If ARC corrupts it, you can immediately spin up a new version and do testing."
If Hailstorm finds a problem with an application in production, the security team is likely to "do proactive monitoring or application firewall filtering to secure that application" while it's remediated, Weinschenk said. "It's an operational decision."
Weinschenk said Cenzic has been working with VMware for about nine months and that Cenzic is the first to offer such integration. He said the two vendors' sales teams will work together, although the arrangement is not exclusive.
"We bring the killer app that can increase the ROI of a virtualized environment," Weinschenk said. "You can use your virtualization infrastructure for something else beyond better productivity with your hardware. For application security, it allows us to solve problems we couldn't before. If you're successful hacking into an application, you can destroy information. Now you can attack without destroying. It takes a major barrier [to testing] out of the way."
"I believe it's a distinct approach; the actual integration is something I haven't seen before," Montecillo said. "I definitely think it's a competitive differentiator. It's something a lot of security teams have needed."
Increased coverage beneficial
The biggest benefit for users will be increased coverage, Weinschenk said. Previously, testing production applications was "painful," he said, and required a lot of steps. As a consequence, production applications weren't tested as often as they needed to be. Now, Weinschenk said, "you're reducing the risk profile of production apps. You're able to test more applications on a continuous basis to reduce the risk profile."
In addition to the VMware integration, Hailstorm Enterprise ARC 5.5 includes enhancements to compliance reporting and to the risk management dashboard.
Version 5.5 will be available Dec. 14. Pricing was not yet determined.