Last December, following three separate online postings of its ESX code, VMware (NYSE: VMW) faced yet another security vulnerability, an exposure in its View desktop virtualization platform through which an unauthenticated remote attacker could retrieve random files from infected View servers. To its credit, in all cases the virtualization kingpin responded quickly with user advisories to apply the appropriate patches and updates.
But last month, VMware took its security thinking a bit farther, surveying some 1,700 members of the independent VMware User Group (VMUG) to learn more about customers’ security policies and requirements. More specifically, the vendor wanted to know if it should replace its just-in-time approach to security patches with regularly scheduled updates to improve patch management.
Here are some highlights of what VMware learned from the survey respondents:
- Two-thirds stick to established maintenance policies and schedules and are generally up to date with security patches (no more than four patches behind)
- One-third are well behind on security updates or never apply them
- Two-thirds consider vendor-supplied workarounds as an alternative to patching, with a large number wanting more detailed information in security advisories to help assess risks
- Half want a regular schedule for patches and half want patches released immediately as they are available
- Two-thirds protect their vSphere management networks, primarily using VLANs
And, the upshot of the resulting data for VMware’s security policies and processes? In a newly posted blog on the VMUG website, the vendor detailed its thinking:
On maintenance policies, schedules and keep current on patches: Look for VMware to heighten user awareness of security updates: “We are considering some initiatives to increase awareness of security updates, as well as the potential for product improvements to reduce the burden of keeping up to date on security.”
On workarounds, mitigations and risk assessments: The vendor will offer more information on security advisories: “We agree that we need to provide more detail in our VMware Security Advisories (VMSAs). Your insightful feedback will help the VMware Security Response Center (VSRC) focus on the most important areas in which to improve our VMSAs in 2013.”
On scheduled patch releases or just-in-time patches: It’s possible VMware will go to regularly scheduled patch updates: “We are planning to conduct some follow-up calls to gather more data to see whether it makes sense for us to stay with our current process or whether we should further evaluate moving to a regular schedule.”
On protecting the vSphere Management Network: Expect more guidance on protecting vSphere networks: “We will investigate ways to make this best practice guidance more visible in product documentation.”