I've read a lot recently about "self-defending" application security products -- those that can be integrated into an enterprise application to ward off application hacks, subversion and piracy. How do these products work? Do they really do anything new?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The term "self-defending" is becoming a popular marketing tagline among vendors trying to make their products stand out in a crowded security products marketplace. As a variety of vendors are now touting "self-defending" products, it tends to have a slightly different meaning, depending on which product description you're reading.
Software security vendor Metaforic, for example, has launched what it claims to be the first and only automated, self-defending, anti-tamper software. Metaforic Core "enables software creators to automatically infuse a software immune system into their programs," according to the vendor's product description, which means deployed instances can supposedly defend themselves from a variety of threats, including hackers, targeted malware and insider betrayal. It does this by constantly running a variety of integrity checks without relying on the operating system to enforce code signing. Jailbreaking an Apple iPhone, for example, subverts its code-signing control.
While Metaforic is targeting developers, Mocana's Mobile App Protection product integrates into existing mobile device management suites and enterprise app stores. It puts a security wrapper around mobile apps to protect sensitive data using access control, data in motion and at rest protection; it also secures data sharing between applications. Using a wrapper methodology removes the need to modify the application's source code. The result is what the company calls a "self-defending app."
Similarly, data protection vendor Covata's Secure Objects is described as "self-defending data" -- yet another approach. By combining data encryption and rights management to data, it can be protected "regardless of its format, status or location." By focusing on the data, it should be usable across devices, operating systems or applications, regardless of type.
This approach is hardly the exclusive domain of startups. The strategy of Cisco Systems' Self-Defending Network -- possibly the first product to use the term "self-defending" -- is to integrate network security into the fabric of the enterprise network, which the vendor claims allows it to adapt to new threats and collaborate across multiple capabilities and devices.
As to the question of whether these products really do anything new, I would suggest they are innovative in their deployment and use of existing technologies. Does that make them new? I don't know; each organization would need to test them to draw its own conclusions as to whether they provide increased levels of protection. The ultimate product would be self-defending software that automatically created a patch and deployed it whenever unexpected behavior was about to occur. Sadly, for the time being, such a product doesn't exist. In the meantime, be wary of any vendor's claim that a product is "self" anything; every enterprise information security product needs to be deployed, configured and managed correctly in order to work effectively.
This was first published in July 2013