As applications increasingly move to virtualized environments, the need for security solutions that examine virtual applications continues to grow.
Security vendor Rapid7 is aiming to help solve the virtual security challenge with a new version of its Nexpose vulnerability management solution. Nexpose 5 integrates scanning of both physical and virtual environments to help identify and mitigate potential security risks.
“With virtualization the security posture today can change at the click of a button,” Tas Giakouminakis, co-founder and CTO of Rapid7 told InternetNews.com. “So what we’ve built into Nexpose 5 is the concept of continuous discovery.”
With continuous discovery Rapid7 is integrating Nexpose into a VMware vSphere environment with the ability to identify and work with virtual machines (VM). The integration also allows Nexpose to react to VMs as they are turned on or off and as they move across a data center.
Nexpose 5 also pulls out VM attributes from a system to build out what Rapid7 calls Dynamic Sites. Giakouminakis explained that the traditional way Nexpose works is that it groups sites together by host name and IP ranges. With virtualization, Nexpose can now be tied to virtual connections that are dynamic in nature. The Dynamic Sites features can enable an administrator to group VMs by administrator specified attributes.
“So you can have grouped view of the world and scan those assets in a specific way,” Giakouminakis said. “You can scan your Windows VMs with your Windows policies versus say your database systems, which may be scanned in a different way.”
While Nexpose 5 is able to integrate with VMware today, there is still more work to be done to provide even more visibility into virtual environments.
“The next step is to expand the VMware epsec APIs to support what we need for vulnerability scanning of images to actually be able to do offline image scanning,” Giakouminakis said. “That capability is not there today.”
In addition to the new virtual environment capabilities, Nexpose 5 is also adding a technology called Real Risk. According to Giakouminakis, there are only a small number of vulnerabilities that modern malware actually uses. He noted that there are approximately 75 vulnerabilities in software that enable many types of modern malware.
“So what we’re doing here is rather than just look at the thousands of vulnerabilities that might be exploitable, we highlight the 75 that are malware exploitable,” Giakouminakis said.
With Real Risk, Nexpose 5 ranks vulnerabilities placing the malware exploitable vulnerabilities at the top of the priority list.
From a configuration assessment perspective, Nexpose 5 supports the Security Content Automation Protocol (SCAP) standard to help users ensure secure configurations of their assets. SCAP is a framework for creating a standardized approach for maintaining secure system. SCAP standards are developed by the Commerce Department’s National Institute of Standards and Technology (NIST).
While Nexpose is a dynamic analysis tool there are some static analysis components to the solution as well. The Nexpose 4.11 release that came out earlier this year introduced Flash scanning capabilities to the solution, which are also part of the Nexpose 5 release.
That said, Giakouminakis noted that Nexpose is looking at the code remotely on the client side and is not doing any direct source code analysis from a code repository. In recent years, both IBM and HP have added static code analysis to their solution offerings.
Giakouminakis said that while static analysis is useful, Rapid7’s view is that they’re looking at static analysis only when the data is accessible and it makes sense to scan.
Overall, Nexpose 5 is able to scan for over 16,000 vulnerabilities in software. Even with that large scanning capability there are some security risks that require more than just a technology solution.
“The human element is important,” Giakouminakis said. “Yes there are solutions like ours, but getting people to understand just how important the human aspect is remains a struggle.”