Large enterprises have issues maintaining or patching their systems on a consistent basis. There are many reasons for this occurrence. When attempting to patch applications that the business relies on to function, the applications cannot be interrupted for any long period of time. Applications in large scale enterprises sometimes have the need to use specific versions of software, which can sometimes include legacy 16-bit applications, to interact and run. This can cause massive application conflicts. Example: Application A needs to use Java Version 1.5 but they also need to use Application B which uses Java Version 1.3. When a Java update is released then there will be multiple issues created. The system is now vulnerable because of exploitable software present on their system and the application will now crash because of reliance on that specific version of Java. When a new release of an application comes out, example: version 1.00 to 1.50, it can take months of testing and deployment to release that application on a large scale basis, this is because of application conflicts and possible disturbance to the business function. With the ability to use virtual applications we are ensuring that the host OS is kept up to date with latest security patch’s while maintaining business functionally.
This is possible by using virtual applications that use sandbox technology, by creating a virtual file system and registry for the user. The end user is now able run multiple versions of any application without conflicts. You are also able to make a small virtual application that can package 16-bit and 32-bit.This makes patching your virtual application easy. Software is being separated into component/packages that are bundled into single virtual executable, Example: Internet Explorer and Java being a separate package that you can individually update then recompile. This decreases time when you are dealing with large applications that take time to build. Large scale environments can now have a very quick turn around when an update is released. This decreases man-hours in terms of deployment: overnight delivery of patched applications to thousands of users, no additional issues created when deploying.
So the host OS can be patched immediately when released without application conflict arising and no interruption to the business function, which is the main goal to maintain. The virtual applications are locked down from the local host OS this will help system administrators update vulnerable systems faster and more efficiently. At a previous employer we used VMware ThinApp it is a clientless virtual application that met almost off our needs and were very impressed by the results. Ultimately the end goal is to remove all vulnerable software from a system but this allows for isolation of vulnerable software’s attack surface which is a cost effective mitigating factor against an ongoing battle.
