Mike Fratto

Network Computing Editor


Upcoming Events

A Network Computing Webinar:
Avoiding Downtime: How Virtualization Can Help In Times of Trouble

June 12, 2013
11:00 AM PT / 2:00 PM ET

Are you caught between a desire for the benefits of the cloud and concerns about security and control? Then you should attend this insight-packed webinar to learn how private data networking technologies like MPLS IP-VPNs can address your concerns and allow you to safely and intelligently reap the savings, agility and other benefits associated with cloud computing.

Join us to hear top industry experts discuss the private data network technologies that are best suited for enterprise cloud access requirements. You won't want to miss this opportunity to learn how your organization can best mitigate risk while reaping the full potential benefits of the cloud.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

See more from this blogger

VMware's Lost Source Code: Not A Panic Situation

Posted by Mike Fratto
April 27, 2012

VMware has confirmed that some of its source code to its ESX Server has been leaked. Cue the dramatic music and breathlessly worded missives claiming the sky is falling and your VMware environment will be secure only if you buy someone's stuff. There's no need to panic. Clearly, having its source code leaked is bad for VMware, but that doesn't mean it's bad for you. If you are using virtualization, you most likely are using VMware. If a security problem is found via the leaked source code, it may affect your current version or it may not. Either way, let's not panic. There are likely going to be other hurdles that an attacker will have to leap over to leverage a vulnerability in a hypervisor or even management system.

Before you freak out (or if you are dealing with someone who is curious, concerned or freaking out over the leaked source code), ask the following:

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Are your hypervisors available from outside the data center in an uncontrolled manner?
Put another way, can anyone connect to the hypervisor through HTTP/HTTPS, SSH or Telnet? If the answer is yes, you have done a bad thing and you should be banished from the data center for life and made to answer level-one help desk calls.

Most likely, the answer is no. Why would you make your hypervisor available outside the confines of where it resides? There is no reason to. Sure, you might be able to access vSphere over an IPSec or SSL VPN from Starbucks, but hopefully you have that locked down pretty well. Ideally, you don't even allow that.

The point is that before attackers can do damage, they have to have access to the target. It's pretty unlikely that organizations are putting their bare ESX servers on the Internet or even on the internal network. If you are, you get what you get and you only have one place to point that finger of blame.

Are your applications on VMs running code so buggy that an attacker could break through to the underlying OS?
If the answer is yes, your programmers should be banished from writing any code that will run on a server and made to sling Microsoft VBasic for Office. While bugs and vulnerabilities in code occur, you hopefully have taken the proper steps to mitigate the damage. These can include making sure you have a software development lifecycle that addresses problems; ensuring that you have security checks built into your SDLC; using, where possible, development methods that are less prone to mistakes and services running with minimal privileges and limited access to the OS.


Page:  1 | 2  | Next Page »


Related Reading

News

Commentary

Most Popular

On the Web

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

May 2013
Network Computing: May 2013

Video


WATCH: Bob Metcalfe Plans Ethernet's 40th

WATCH: CES 2013: It's A Wrap!

WATCH: Intel touts tablets, smartphones at CES 2013


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Upcoming Events

Featured Whitepapers

 
 
What's this?
More >>


Featured Reports

 
 
What's this?
More >>


BlogRoll

TechWeb Careers