VMware vRealize Automation SaltStack SecOps: A Promising but Incomplete Compliance and Vulnerability Management Solution

In the ever-evolving landscape of cybersecurity, compliance and vulnerability management have become crucial aspects of IT system security. To address these needs, VMware has introduced vRealize Automation SaltStack SecOps, an add-on for its vRealize Automation product. This solution aims to provide full-service, closed-loop automation for IT system compliance and vulnerability remediation. However, upon closer inspection, it becomes apparent that this solution is not without its limitations.

Compliance Component: Promising but Incomplete

The Compliance portion of the SecOps add-on allows you to manage benchmarks, checks, and define assessment policies. It includes a database of up-to-date, certified security content based on CIS and DISA STIGs (Security Technical Implementation Guides). While this sounds impressive, my experience has shown that the out-of-the-box content is often outdated and missing the latest operating system releases. For instance, as of this month, the product only contains a single STIG for Red Hat Enterprise Linux 7, but there is no support for Microsoft Windows Server 2019 or the recently released Microsoft Windows Server 2022.

Moreover, VMware’s Supported Security and Compliance Benchmarks documentation provides an inaccurate list of supported benchmarks within vRealize Automation SaltStack SecOps. Upon reviewing the available compliance benchmarks, I found that the following compliance benchmarks are available:

* VMware vRealize Automation SaltStack SecOps supports the creation of custom compliance content using the SaltStack SecOps Compliance Custom Content SDK. This feature allows you to create and manage custom compliance benchmarks within the product.

Vulnerability Component: Lacking Visibility and Updates

The Vulnerability component of vRealize Automation SaltStack SecOps is where the solution truly falls short. The tool appears to primarily surface missing patch findings based on the guest operating systems’ built-in patching capabilities. It does not provide visibility into other vulnerabilities that may exist within the system. Furthermore, the vulnerability data is only updated quarterly, which could leave organizations vulnerable to new threats.

The following are the key takeaways from my experience with VMware vRealize Automation SaltStack SecOps:

* The solution has the potential to be useful for enforcing compliance with industry benchmarks.

* New industry benchmarks have not been released in a timely fashion for enforcement via SaltStack SecOps.

* The lack of timely updates and incomplete support for latest operating systems hinder the product’s adoption within specific industries.

* Until VMware vRealize Automation SaltStack SecOps can list which vulnerabilities a system does and does not have, the solution itself will only be useful for remediating vulnerabilities imported from third-party vulnerability scanners.

In conclusion, while VMware vRealize Automation SaltStack SecOps shows promise in providing compliance and vulnerability management solutions, its limitations in supporting the latest operating systems, frequent updates, and complete visibility into vulnerabilities hinder its usefulness in real-world scenarios. As such, organizations must carefully evaluate their needs before adopting this solution.