Well I for one vote that Big Ed quits his criticism and writes a better one. Or is this basically a thinly-veiled "buy my book" pitch?

“Falls Far Short” - Ouch! :)

Thanks for your valuable feedback concerning our virtualization benchmarks. We agree that the CIS ESX is not a virtualization security panacea and like all security guides there is room for additional coverage. CIS is a non-profit organization with a single purpose – provide actionable security information to the community. At the core of our guidance process you will find consensus teams comprised of volunteer developers, authors, vendors, geeks, consultants, auditors, security researchers, and spooky three letter government folks. The beating hearts behind these labels believe as CIS does – the ability to make good security decisions increases with perspective. CIS is a couple months into creating an update to the ESX security guide you reviewed and I’ve passed your feedback to the consensus team for incorporation. You are an ESX virtualization ninja and your perspective would enhance our team’s decision making ability and ultimately the guidance provided to our mutual audience - the VMWare community. Feel free to call or email and I’ll introduce you to the team. We would be excited to have you actively participate.

CIS guides are living documents that are updated as feedback is provided. As you and your many readers discover errors or omissions within CIS guides, please get involved by reporting them to cis-feedback@cisecurity.org.

Thanks,

Blake Frantz
Chief Technical Officer
The Center for Internet Security
Voice: 206-384-3023
Fax: 206-260-7528
bfrantz@cisecurity.org

Hello,

Since writing my book, quite a bit has changed. The book does discuss security, but it applies the prelude to the CISecurity benchmark and the Bastille-Linux benchmark to further harden the SC and defines some basics about logging and auditing, all in all as one person told me, and I agree, it is a primer on security. However, Virtualization Security goes far beyond what is covered in the current incarnation of this Guide, or VMware's Guide. It covers everything that directly or indirectly touches the virtual environment.

And to answer the anonymous request, it is an area of ongoing research by myself and others. Wait for my review of the DISA/STIG that should be posted soon.

Best regards,
Edward L. Haletky
Author