As the industry-leading virtualization software company, VMware takes customer security and safety very seriously. VMware has well-established programs and practices to identify and remediate security vulnerabilities in our products and to mitigate software security risks to customers. These programs are constantly evolving based on our own experiences, changes in the threat landscape, and our learnings based on industry observation and collaboration.
The VMware Security Engineering, Communications & Response group (vSECR) is the central organization within VMware responsible for developing and driving software security initiatives across all of VMware’s Research and Development organizations to reduce software security risks. The vSECR group takes a full lifecycle approach to product security from product inception to product end of life. VMware, through vSECR, is committed to the ongoing security of our products and the safety of our customers.
Technological innovation and changes in sourcing and supply chain strategies have made software supply chain security a global challenge. Threats ranging from risks associated with using third-party code and open source components to IP theft have dramatized the vulnerability of this new risk domain. VMware is taking proactive measures to minimize the occurrence of these risks and has launched several initiatives to address the security of our supply chain.
VMware is active in the greater security community, and is a member of SAFECode (the Software Assurance Forum for Excellence in Code) and BSIMM (Building Security In Maturity Model). For more details about VMWare product security, please refer to the VMware Product Security White Paper.
Third-party certifications such as Common Criteria and FIPS provide independent validation of the security of VMware products. These certifications are listed along with links to the official certificate or report.
Security Hardening Guides provide prescriptive guidance for customers on how to deploy VMware products in a secure manner. This guidance includes script examples and other information to help with security automation.