This is my first blog as a Rapid7 employee. I started in July of this year as a product manager, and my first project is helping a team build a new discovery method for Nexpose. Virtualization has been around since the 1960s, even though it didn't start to become mainstream until the late 1990s when VMware was founded. In the most recent years server virtualization has been growing at a rapid pace. As it continues to spread, it introduces gaps in your security program.
Over the last couple of months, I have talked with many Security Administrators and Infrastructure teams about their challenges with virtualization. I was truly enlightened by the issues and concerns they are having, not only because we can immediately resolve some with our upcoming Nexpose 5.0 release, but also because common themes kept coming up.
The biggest common theme was no visibility into their virtual environments. This introduces a security gap because virtual environments are very dynamic with virtual machines (VMs) being added, powered on/off, or changing hosts all the time. It's hard to truly mitigate all of the risks if you don't know what you have out there.
I'm really excited to say that in Nexpose 5.0 you can now leverage the new vAsset discovery method to discover VMs on VMware vCenter or ESX hosts. This allows you to easily discover all your VMs that are both online and offline quickly, without needing to perform a network-based discovery scan. Then, to narrow your results, you can filter your VMs by VM metadata that is retrieved from the VMware connection. After you have performed a vAsset discovery you can easily create a dynamic site that is always kept up to date when changes occur in your virtual environment. Nexpose is notified in real time when these changes are happening. This ensures your site is updated appropriately and your assets are not being missed for vulnerability or compliance scanning.
Future versions of Nexpose will continue to address additional virtualization security gaps, please leave me a comment with any ideas brewing that you'd like to see.