Automatic curation and modification of virtualized computer programs

What is claimed is: 1. A computer-implemented method comprising: using a security unit having one or more processors, receiving a first instance of computer program data at the security unit; modifying, by the security unit, the first instance of the computer program data to implement one or more security improvements, resulting in a modified computer program data, wherein the one or more security improvements improve resistance of the computer program data to security attacks, and wherein the one or more security improvements are independent of a type or version of the computer program data; executing the first instance of the computer program data in a monitored environment in the security unit to generate expected output; executing the modified computer program data in the monitored environment in the security unit to generate modified output; identifying one or more variances in the modified output by comparing the modified output to the expected output; based on the one or more variances, altering the one or more security improvements or updating the security unit; repeating the steps of the method using the altered one or more security improvements or updated security unit until no variances in modified output are identified; wherein the method is performed using one or more processors. 2. The method of claim 1 , wherein the computer program data comprises any of: an application program executable; application program configuration data; one or more units of an operating system; a just-in-time compiled application program. 3. The method of claim 1 , further comprising: in the security unit, observing and recording identification information for each of a plurality of functions called by the first instance of the computer program data; sending the identification information from the security unit to one or more security enforcement endpoints over a computer network; using the security unit, generating one or more instructions describing security protections to implement for function calls not included in the identification information in a second instance of the computer program data, and sending the instructions from the security unit to one or more security enforcement endpoints over a computer network; wherein the one or more instructions comprise function pointers or offset values with reference to a start of an executable binary. 4. The method of claim 3 , wherein sending the identification information comprises sending a whitelist of the plurality of functions called by the first instance of the computer program data. 5. The method of claim 1 , wherein the first instance of the computer program data is obtained from an authorized source. 6. A non-transitory computer readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause: by a security unit, receiving a first instance of computer program data at the security unit; modifying, by the security unit, the first instance of the computer program data to implement one or more security improvements, resulting in a modified computer program data, wherein the one or more security improvements improve resistance of the computer program data to security attacks, and wherein the one or more security improvements are independent of a type or version of the computer program data; using the security unit, executing the first instance of the computer program data in a monitored environment in the security unit to generate expected output; executing the modified computer program data in the monitored environment in the security unit to generate modified output; identifying one or more variances in the modified output by comparing the modified output to the expected output; based on the one or more variances, altering the one or more security improvements or updating the security unit; repeating the steps of the method using the altered one or more security improvements or updated security unit until no variances in modified output are identified. 7. The computer-readable medium of claim 6 , wherein the computer program data comprises any of: an application program executable; application program configuration data; one or more units of an operating system; a just-in-time compiled application program. 8. The computer-readable medium of claim 6 , further comprising sequences of instructions which when executed cause the one or more processors to perform: observing and recording, in the security unit, identification information for each of a plurality of functions called by the first instance of the computer program data; sending the identification information from the security unit to one or more security enforcement endpoints over a computer network; generating one or more instructions describing security protections to implement for function calls not included in the identification information in a second instance of the computer program data, and sending the instructions from the security unit to one or more security enforcement endpoints over a computer network, wherein the one or more instructions comprise function pointers or offset values with reference to a start of an executable binary. 9. The computer-readable medium of claim 8 , wherein sending the identification information comprises sending a whitelist of the plurality of functions called by the first instance of the computer program data. 10. The computer-readable medium of claim 6 , wherein the first instance of the computer program data is obtained from an authorized source. 11. A security unit comprising: one or more processors; a non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform: receiving a first instance of computer program data at the security unit; modifying the first instance of the computer program data to implement one or more security improvements, resulting in a modified computer program data, wherein the one or more security improvements improve resistance of the computer program data to security attacks, and wherein the one or more security improvements are independent of a type or version of the computer program data; executing the first instance of the computer program data in a monitored environment in the security unit to generate expected output; executing the modified computer program data in the monitored environment in the security unit to generate modified output; identifying one or more variances in the modified output by comparing the modified output to the expected output; based on the one or more variances, altering the one or more security improvements or updating the security unit; repeating the steps of the method using the altered one or more security improvements or updated security unit until no variances in modified output are identified. 12. The security unit of claim 11 , wherein the computer program data comprises any of: an application program executable; application program configuration data; one or more units of an operating system; a just-in-time compiled application program. 13. The security unit of claim 11 , further comprising sequences of instructions which when executed by the one or more processors cause performing: observing and recording, in the security unit, identification information for each of a plurality of functions called by the first instance of the computer program data; sending the identification information from the security unit to one or more security enforcement endpoints over a computer network; generating one or more instructions describing secur