We are proud to announce the successful results of an independent source-code review and penetration test of vSentry version 2.4 by the leading security consultancy IOActive – acknowledged as one of the world’s leading security firms serving Global 1000 customers, and with an enviable reputation in software assurance and penetration testing. We gave IOActive the source code for vSentry and tasked them with breaking it – with complete freedom to publish their findings, good or bad.
You’d be forgiven for thinking we’re nuts. Why would we do this?
We are as tired as you are of the exaggerated claims made by security vendors – products that claim to secure your environment that … don’t really. We think it’s time to change the conversation: When vendor claims are verifiable, customers can properly understand their security posture – and they will reject products that don’t deliver. We’d like the industry to stop blaming the victims and focus instead on defeating attackers.
Bromium is single-mindedly committed to delivering a product that transforms the security of endpoints by design, using micro-virtualization – without relying on detection, fuzzy logic, better heuristics, big data, machine learning or other hail-mary passes. But we also recognize that we stand on the shoulders of giants – the security community whose diligence and dedication helps to protect us. We want to deliver a product that offers the best possible defense, so we need the world’s best pen-testers to attack it. We recognize that If we are to make credible claims of security by design, they must be validated by the best in the business.
When we asked our customers to recommend a firm with the right skill set and integrity, they were unanimous. IOActive has impeccable credentials in research and analysis, and its hard-won reputation is born of leading edge research in pen-testing, reverse engineering, code review, social engineering, and hardware security.
IOActive conducted a comprehensive analysis of Bromium vSentry v2.4 over several months, using a team with expertise in the attack surface of applications, the Windows kernel, hypervisors and hardware virtualization. They analyzed the vSentry product architecture and source-code and conducted a comprehensive run-time penetration test with the aim of escaping the isolation of a micro-VM, compromising the Microvisor, and attacking the Windows desktop.
We are proud that IOActive discovered no vulnerabilities that can be used to defeat or disable vSentry or compromise the endpoint. Their work validated two key principles that guide development at Bromium:
- First, we emphasize minimalism. Xen is small, but micro-Xen is very substantially smaller. We focus on reducing the attack surface so that we can reasonably claim to defend it. We apply strict development standards, and all code is scrutinized by multiple developers.
- Second, Bromium has (in Bromium Labs) a separate, elite team of security analysts. Their job is both to guide our architects and also to attack the product using an extensive set of automated probes and manual pen-tests, to ensure that developers haven’t slipped up.
IOActive added yet another degree of separation and an independent team of experts with source code access. vSentry passed their review with flying colors, and their insights and feedback have already been incorporated into the product. Crucially, we have developed a powerful way to engage with leaders in the security community that credibly bolsters our own effort to deliver best-in-class products. We are proud to be better at what we do, because we exposed our work to the best.
We are committed to regular 3rd party assessment of the security of our products because our customers depend on us to protect their most valuable assets, and because security is a problem that benefits from a “many eyes” approach. We hope that by setting an example we can convince other vendors to make a similar commitment to independent validation, and that over time customers will begin to demand that their vendors adopt this approach.
If you’d like to receive the IOActive report please email me.