Today, Virtualization and cloud
computing is becoming extremely popular. This article on darkreading.com
shows a quote from Eric Chiu, founder and president of a
virtualization security firm by the name of HyTrust, stating that
“Virtualization is mainstream and over 50 percent of enterprise
datacenters are now virtualized” because of this growing usage of
virtual machines, it's a growing target for attack from malicious users.
Theft of a portion of VMWare's ESX
Hypervisor product is a big deal. VMWare apparently did not offer
any clues to how or when the breach occurred, but a hacker has taken
credit for the theft, and posted one file worth of source code for
public viewing. VMWare officials, the article explains, say that the
code is legitimate, but from inspection of the code and the developer
comments, they say it dates back to 2003-2004.
VMWare claims that customers should not
be concerned about any risks brought about by this theft and
broadcast of the code. They stand firm with their philosophy of not
using security through obfuscation. Which is to say, keeping source
code publicly shared among certain industry partners in order to
increase the number of eyes and brains working on making the code as
secure as possible.
"VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."
I believe, and have said it many times
before, that this is crucial to circumventing problems that present
themselves when breaches do happen. This similar situation happened
with Symantec's PC Anywhere suite, and they suffered severe public
image damage, customer loss, market share damage, and brand loyalty loss due to the vulnerabilities that
ensued after a similar breech and broadcast of some of their source code. Symantec operated on a security through obfuscation, and treated source code as top secret, assuming that if you can't see the code, you can't take advantage of the not-so-ideal coding practices that cause vulnerabilities.
The article explains, and I agree, that
it just goes to show you that even the most prepared companies, with
balls-to-the-wall security and non disclosure implementations, can
still be victim to this type of breach in security. Whether it was
due to a great-wall attack, middleman, or simply a social engineering
hijack, we do not know, but does it really matter?
Furthermore, this announcement by
VMWare bolsters the argument for open source products. A good idea
in this day and age of software, in my opinion, is to get as many
brains to look at your product's code to increase the angle of
perspective, and increase chances of finding flaws and
vulnerabilities before they become a real threat to customers.