Classification of Attack Surfaces
§ VSphere Product.
§ DevKit / tools
§ Certification tools
§ Foundation and
Integrated attack surfaces
VSphere product level security
This is mostly handled by product security team and every aspect
of product documentation must be followed as it is.
We provide many different
types of software development kits from ecosystem, to integrate partner
products with vSphere. Below is the list of integration program. Backed with
underlying foundation programs. Currently all the security checks are done at
individual level in isolation. Which is risky, reason being if we see the entire
product portfolio from SDDC, EUC level, Offprem-Apps we see the missing
security check gap for the integrated product portfolio.
Developer center program lifecycle
Development kit includes tools and resources
needed during the development for Server plug-ins, driver development kits,
Storage Hardware plug-ins.
Turnkey Appliances, storage and Virtual desktop Infrastructure
(VDI) tools etc…
Certification tools that
allows partners to test the reliability and stability of their product/solution
that’s been built using one of the above dev kits to meet VMware Certification
If we go deeper into the
above categories then we can list down many more granular components which
would require security hardening.
Development kit level
§ The dev kit components itself.
§ Workbench appliance.
§ The final product that’s created using
Certification kit level
The cert components itself.
§ Network configurations.
§ Test API’s.
§ Test Database Server configurations.
§ Test Web server configurations.
§ Fault tolerant test systems and
§ Third party tools that’s used for
The final certified components