Virtualization Security - Reading List (update)

(Added and updated links) Here's a reading list of interesting posts in the virtualization+security space. There is a lot of thought going on about how virtualization in the data center affects application security. If you have VM's, you ought to be reading and thinking. Really thinking.

Start with Five Immutable Laws of Virtualization Security. Follow through to the Burton Blog for details. (Pete Lindstrom, Spire Security)

Maybe read “Virtualization and Security: The Full Story” (I'm still thinking about this one.) I'm done thinking. See comments. (Sara Peters, CSI)

Thoughts on auditing virtualized environments, separation of duties, and audit controls. Are your auditors going to declare all the vm's that share the same hardware cluster in scope for the audit of one of the vm's? Ours will. (Hoff, Rational Security)

Bits on PCI compliance (Hoff, Rational Security)

The operational issues surrounding virtualized servers, or - how are you going to manage the siloed operational domains of system management, network and security, when all of the above are in one box? (Hoff, Rational Security)

The performance issues that you should think about before dumping your virtualized network and security functions onto the same processors that serve up your application. Can we say context switches? I keep thinking about a spanning tree meltdown in a virtual switch. That would be amusing. Hint: There is no wire to pull. (Hoff, Rational Security)

An analysis of Patch frequency for VMWare ESX. Yep - you now have another platform to patch-manage, another patch repository, another patch management console, another set of patches to run through the patch test-QA-deploy cycle. (Ronald Oglesby and Dan Pianfetti @ GlassHouse Technologies)

A summary of the four big issues surrounding virtualization. (Hoff, Rational Security)

And last, but not least, Theo's thoughts on virtualization.

"x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection.  Then running your operating
system on the other side of this brand new pile of shit."

Priceless.

--Mike