How Pivotal Web Services Just Improved The Security Of Your Platform

April 19, 2016 Richard Seroter


Pivotal Web ServicesHow up-to-date are your application environments? When’s the last time you updated the operating system or loaded the latest Java runtime? If your team is like most, the answer is “not often enough.” Sure, companies quickly scramble to patch (known) environments when there’s a zero-day exploit or when you have vendor software that REQUIRES the latest version of PHP or Ruby. But how do you sustainably ensure that your apps run on a secure, modern foundation? If you’re using Cloud Foundry, the answer is buildpacks.

Buildpacks are a foundational part of Cloud Foundry. They bundle up the runtime support for a host of languages and frameworks—including Java, Ruby, Go. PHP, Python and Node.js—and help Cloud Foundry properly set up the app container. What this means is that developers who use Cloud Foundry can rest assured that the underlying infrastructure AND their application runtimes are constantly kept up to date by the platform itself. Contrast that to a do-it-yourself container approach where the developer is still on the hook for maintaining the software and configurations in each container image.

While buildpacks are great, it was time to rethink how we delivered them to Cloud Foundry environments. Previously, buildpacks were larger than 5GB in size because they contained every possible runtime version, and publication required numerous manual steps. Time for a diet, and some automation!

Buildpacks now contain only the most recent two runtime versions—don’t fret, it’s easy to refer to an older buildpack version if you need it—and are automatically published to Pivotal Web Services (PWS) from GitHub releases after running through rigorous test automation. The previous buildpack publishing process was a manual, ticket-based affair, and tied to releases of Cloud Foundry itself. This new process uses real-time git hooks and a Concourse pipeline that runs a variety of smoke tests before promoting buildpacks to PWS.

Concourse pipeline running smoke tests

Looking to see this in action? Simply run a cf buildpacks command in your PWS account and observe that each buildpack reflects the latest version in GitHub!

cf buildpacks

Why does this matter? Two reasons. First, this new buildpack automation means that we can quickly deliver updates to Pivotal customers. This automation significantly reduces the window of time that your apps run on vulnerable or out-of-date runtimes. Secondly, this automated approach to buildpacks helps you transition even faster to a continually refreshed application environment.

Cloud Foundry smoke tests

Environments get stale. It’s difficult to constantly identify and upgrade hosts. If you’re following an immutable infrastructure pattern—where you replace servers in lieu of updating them—then the goal is to create new machine (or container) images and replacing existing servers that have old application code or runtime configurations. That’s a fantastic aspiration, but it’s not a trivial undertaking. And, it puts a lot of responsibility on the operations teams to build these images and the corresponding deployment pipeline. With Cloud Foundry and buildpacks, it’s simple. Instead of dealing with packaging up the machine configuration and all its dependencies, Cloud Foundry makes it easy to put the focus squarely on your application, not infrastructure.

Want to regularly push a new version of your app, and automatically grab the latest and greatest buildpack? Simply run cf push and know that a new app container is automatically configured with the latest runtime on top of up-to-date infrastructure. Have a running application and want to update its container without redeploying the app itself? Execute a cf restage command and Cloud Foundry will instantiate a new container with the latest buildpack, even if that’s not the buildpack used when you last deployed the app! That’s the value of a Cloud Native application platform.

When your application and its host are constantly kept up-to-date, you’re minimizing your security risk and maximizing your responsiveness to business demands. Cloud Foundry ensures that your platform is optimized and your team can spend less time configuring infrastructure, and more time building meaningful applications.

But don’t take my word for it, go get a free PWS account and take it for a spin yourself!


About the Author

Richard Seroter

Richard Seroter is the VP of Product Marketing at Pivotal, a 12-time Microsoft MVP for cloud, an instructor for developer-centric training company Pluralsight, the lead editor for cloud computing, and author of multiple books on application integration strategies. As VP of Product Marketing at Pivotal, Richard heads up product, partner, customer, and technical marketing and helps customers see how to transform the way they build software. Richard maintains a regularly updated blog ( on topics of architecture and solution design and can be found on Twitter as @rseroter.

Follow on Twitter More Content by Richard Seroter
This Month in Data: May 2015
This Month in Data: May 2015

Do data science teams lack courage? Are pop music lyrics getting dumber? Is Facebook limiting our access to...

GE On Cloud Foundry For The Internet Of (Really Important) Things
GE On Cloud Foundry For The Internet Of (Really Important) Things

Harel Kodesh, Vice President, Chief Technology Officer at GE Software gave one of the most impactful, no-n...