Blog

How Apprenda Adds Security to Guest Applications

Dan Domkowski

By Dan Domkowski

security lock

During the past few years, I’ve helped many Apprenda customers design and deliver a Platform as a Service (PaaS) solution unique to each of their data center workflows, policies, and configurations. But our requirements to enable security and compliance always seem to be on the rise. While Apprenda integrates with many data center resources, our client services team also has the obligation to make sure developers consume those resources and services securely.

Fortunately, Apprenda gives us the tools for wrapping security around guest applications by acting as a “Hub” for workload management and policy enablement. Apprenda was designed to stitch together OS instances, infrastructure, and other data-center components into a single “data center OS.” A positive consequence of collapsing the data center to a single layer via Apprenda is that there is now a central place to control security upstream and downstream from the PaaS.

There are a number of real-world, security enabling use cases I’d like to share that could enable any enterprise to secure their applications through Apprenda without hampering innovation.

Pre-Deployment Vulnerability Scanning

Even before a developer is authorized to deploy their application to production environments, they often have to run their application through a static and/or dynamic code analyzer such as Black Duck, Veracode, or HP Fortify to identify known vulnerabilities or possible attack vectors.

Apprenda has the necessary extension “hook points” to be able to call a vulnerability scanning service during the normal deployment workflow and receive authorization or be denied deployment before any binaries are executed on an app server. As an additional preventative measure, application bootstrap policies (BSPs) on Apprenda allow enterprise security to control any portion of the application payload to always ensure your developers are using libraries that are up to date and free of vulnerabilities at deployment time. Not only does this provide for a more hardened production environment, it helps developers more readily eliminate “deployment blockers” by not having to wait for anyone other than themselves to get a compliant app up and running on the PaaS.

Inject Apps with Single Sign-On (SSO)

One item enterprises are trying to figure out is how developers can still Bring Your Own Authentication (BYOA). If you’re trying to enable developers to add their app enterprise Single Sign-On mechanisms like CA SSO (formerly Siteminder), but want to control how and when developers use SSO services for the app, the CA SSO web agent for the Apache Tomcat Servlet container is an excellent choice. When the app is running in a Tomcat container, the agent can intercept HTTP requests and determine protection status, user authentication, and resource authorization.

But how do you control how developers use this service? Again, that’s where BSPs come in. BSPs configured by security architects and enterprise IT can be configured through the Apprenda SOC and exposed to developers when they’re ready to configure and deploy their apps. If they choose CA SSO as their authentication and authorization mechanism to attach to their app, the BSP will inject the CA SSO web agent at deploy time into the Tomcat classloader.

Password Management Beyond SSO

The same BSP workflow could be used for rotating application credentials or even enabling a developer to grant an application certain permissions on the OS the app is running, but in an authorized way. Both use cases can be supported by packaging the CyberArk Application Identity Manager agent at deploy time through a BSP.

Enterprises rarely (if at all) grant developers access to production OS instances, but the app may need to run as a specific OS user based on enterprise policies. Rather than manually configuring each application and target server, a BSP that injects the CyberArk agent can enable developers from all over the enterprise to deploy an application and run as the authorized OS user. Security architects only have to configure one agent and instantly a security policy for all apps is enabled.

Conclusion

There are numerous use cases to automatically inject functionality into your applications by running them on Apprenda. As security restrictions and regulations become more prevalent each year in the enterprise, Apprenda can help you harden apps without limiting innovation.

Your PaaS should integrate and coordinate technology resources throughout the data center no matter the vendor, especially when it comes to security. Most enterprises invest in a variety of I&AM solutions, and Apprenda has integrations with Microsoft, CA, Ping, and others running in our customers’ data centers. By integrating with so much tech, Apprenda effectively centralizes and catalogs the usage of off-platform investments throughout the enterprise app portfolio. When it comes to managing security products and workflows, Apprenda can now be the central place to control application security upstream and downstream from the PaaS.

 

CTA_Guidance_PaaSComparison

Dan Domkowski
Dan Domkowski

Dan Domkowski is a Product Manager at Apprenda specializing in PaaS Security. Dan is also an Adjunct Professor at the University at Albany where he teaches Information Security and Assurance. Before Apprenda, Dan spent eight years in the U.S. Intelligence Community, mostly at the National Security Agency. Dan has a MS in Computer Science from The George Washington University and a BA in International Relations and Political Science from Syracuse University.

2
View Comments
  1. TechYogJoshJuly 16, 2015

    Interesting article. What would have been really helpful if the article had done a comparison of Apprenda with its key competitors (e.g., CloudFoundry. CloudBees, Stackato, etc.). This article describes what Apprenda does from an application security perspective but stop short of saying that these are unique qualities or differentiators. May be they are not. If they are not then the article loses the point. Next time if you could provide a comparison between the way Apprenda handle security and the other major on-premise PaaS software, that will be really helpful. Icing on the cake will be to also let the readers know where Apprenda lag its peers and how you are trying to bridge those gaps.

  2. Dan DomkowskiJuly 16, 2015

    Thanks for the comment. To address your point, there is no other PaaS on the market today that can seamlessly extend deployment workflows to off-Platform services and resources nor allow for the dynamic inclusion of specified libraries and agents for .NET and Java applications, all at deploy time. Apprenda allows enterprises to govern how developers attach functionality to their application without levying any additional configuration mechanics on the developer.

    Examples can include:
    – additional app logging frameworks
    – JavaMail Sessions
    – SSO web agents
    – pre-deployment vulnerability scans
    – replacing vulnerable libraries with patched versions
    – connecting an app to a shared working directory
    – cataloging and discovery for REST endpoints

    Thanks again,

    Dan

Leave a Reply

Your email address will not be published. Required fields are marked *