Still, there have been some high-profile bugs found in the software. In April 2007, Liston demonstrated an attack on VMware Workstation that allowed him to run unauthorized software on a VMware system. And in February of this year, Core Security reported a similar flaw, also in VMware's desktop software.
Mulchandani says that these disclosures have further confused users, who wrongly assume that the bugs also affect the company's widely used data center product, called ESX.
ESX, he says, has a completely different architecture from the VMware Player, Workstation and Server products that have been hacked by security researchers. These products have many experimental features that may never get included in ESX, he said.
IntelGuardians' Liston says the fact that a major flaw has not been found in ESX does not prove it is immune to bugs. "I would be willing to bet my paycheck that at some point in time, somebody's going to be able to find one of them," he said.
But the most intriguing part of the VMware security question may not relate to bugs at all. Nearly a year after the Determina acquisition, customers are still waiting to see what the company plans to do with its software, which scans the memory of Windows machines to block certain types of attack.
Mulchandani declined to comment on his company's product plans, except to say that his team is integrating the Determina software into the VMware platform.
But others say there is an obvious next step.
Because VMware ESX is already widely used in the data center to host Windows, it would be natural for the company to start selling a version of VMware that would secure Windows by default, according Thomas Ptacek, a principal with Matasano Security.
Liston agrees that Determina may help VMware stay one step ahead of Microsoft, which is readying its own virtualization software.
"VMware is on a mission to tighten up their virtual infrastructure and to provide some things that they couldn't have provided before," Liston said. "They really sit in the perfect spot to do that kind of overall machine monitoring."