Demo: A Guide to Virtual Machine App Security Solution Engineer
It may seem like containers are the go-to method for cloud building, however 95% applications run on traditional infrastructure deployments like dedicated servers, shared hosting, and virtual machines (VMs). While Gartner has predicted that by 2022 15% of organizations will be using containers, that still leaves 85% continuing to run many applications and services as server-based deployments. Servers don’t seem to be going anywhere anytime soon.
Enterprises have run legacy architectures for more than a decade while serving their growing customer base. During this time, they’ve addressed capacity constraint challenges with cloud platforms. The cloud has enabled organizations to replace physical boxes with flexible, scalable VMs on Amazon Elastic Compute Cloud (EC2), Google Compute Engine™ (GCE), and others.
There’s value in continuing these well-defined development and delivery practices while deploying applications on a virtual cloud platform. It can be easier to develop and operate legacy applications on traditional architecture than it is to build them with containers without upseting your workflow.
Let’s explore how to ensure your VM applications are secure by protecting a sample Spring Framework (Java) application with Trend Micro Cloud One™ – Application Security.
Application Security Challenges
Compliance requirements often drive application security. But unfortunately, sometimes compliance is an afterthought. This is because, predominately, security is associated with network configurations, open ports, firewalls, and patches. Technical teams do spend time in pre-production trying to find flaws in application testing before production deployments. However, what about when an application is in a runtime state? How can you easily protect your running application at runtime against common application threats and exploits? When these complex questions go unanswered, compliance requirements fall by the wayside, leaving developers responsible to fix the app as quickly as possible.
Practitioners who have faced these challenges created the Open Web Application Security Project (OWASP) Top Ten. According to OWASP, it represents “a broad consensus about the most critical security risks to web applications” and serves as a guideline for building secure applications. The vulnerabilities on the list often remain undetected, since they can be difficult pinpoint and find. These vulnerabilities remain an operations challenge until a developer patches the vulnerability and releases the patched version in production.
Trend Micro helps with Application Security, a runtime application self-protection (RASP) solution for application behavior analysis and protection. We’ll demonstrate how we can protect our applications against adverse events using RASP.
Deploy Application
We’re going to build and deploy the Vulnerable-Directory application, which is developed using Java’s Spring Boot framework and an H2 database. It offers a directory search operation.
We can deploy this application to any cloud VM we’d like. In this tutorial, we’ll assume you already have (or intend to set up) a VM where you’ll deploy the sample application.
We’ll start by downloading the app from GitHub.
git clone https://github.com/rahul0208/vulnerable-directory
cd vulnerable-directory
The application is packaged with Maven Wrapper, so we can build it using the following command:
./mvnw clean install
After the build is complete, let’s run the application from the target directory using the Java command:
java -jar target/directory-0.0.1-SNAPSHOT.jar
This command binds the application on port 8080, so we can access the application using our browser, at http://localhost:8080/. We can deploy the same application on various server platforms like EC2, DigitalOcean, and Google Cloud Platform™.
Read More HERE