Don’t Dismiss the Role of Security in the Developer Experience

January 6, 2022

This post was cowritten by Deepak Belani and Ben Hale.

Since its initial beta release in September 2021, the engineers building VMware Tanzu Application Platform have been focused on two primary principles: offering a better developer experience on Kubernetes and securing the path to production. The thing is these two concepts are inextricably linked. You can’t have a smooth developer experience without considering the security implications. 

Better security to enable a smoother path to production

As we saw with the Log4Shell incident, widespread vulnerabilities can appear suddenly, requiring organization-wide mitigations over a very short period of time. Tanzu Application Platform, now available in its fourth beta version, offers users multiple ways to mitigate vulnerabilities at a large scale and with confidence.

As part of Tanzu Application Platform, VMware Tanzu Build Service builds on the CNCF Cloud Native Buildpacks project to bring a clean separation between the base image and application layers that are unique to each workload. In the case of Log4Shell, this meant Tanzu Build Service users could easily mitigate the reported vulnerability by adding an environment variable to their run image and rebasing all existing applications built on it. This rebasing takes a fraction of a second for each image because it does not require the application layers to be rebuilt. These new images trigger all the normal downstream steps on the path to production, including full test suites and progressive delivery, ensuring zero downtime and giving users confidence in the quality of the change. So, any customer of Tanzu Build Service and VMware Tanzu Application Service could quickly address the vulnerability with minimal impact. 

The Convention Service for VMware Tanzu offers an even more targeted approach to vulnerability mitigation. Utilizing the bill of materials (BOM) information created by the Paketo Buildpacks, users were able to mitigate this vulnerability by deploying a custom convention that inspects an image’s BOM and determines if the log4j-core.jar is both present and earlier than version 2.15.0 (later 2.16.0). If those requirements are met, an environment variable is set in the PodSpecTemplate for that version of that workload. This change to the PodSpecTemplate then proceeds through the normal downstream steps on the path to production, including full test suites and progressive delivery, again ensuring zero downtime and giving users confidence in the quality of the change.

Finally, Metadata Service for VMware Tanzu provides a central location for inspecting application metadata such as a bill of materials. This includes the ability to view new CVEs against already built and deployed applications. Users could identify and prioritize the updates of their applications by uploading a new CVE database and then inspecting their entire footprint to determine which applications have vulnerable dependencies. Application changes then proceed through the normal downstream steps on the path to production, including full test suites and progressive delivery, again ensuring zero downtime and providing confidence in the quality of the change.

Here's how one of our customers described their experience responding to the Log4Shell, also known as Log4j, vulnerability:

[Our systems are] built on a modern application security pipeline, which enabled our team to immediately and surgically identify the Log4j dependencies across our entire portfolio and infrastructure. Integrated cybersecurity and developer [teams], tightly coupled, enabled immediate triage and execution of [remediation steps] in prioritized order. Having a patch plan across the tech stack enabled quick remediation across the entire platform. Just another day in the office delivering…software that [our] operators love.

Simplify app deployment with Cloud Native Runtimes

Enterprises are taking advantage of cloud native technologies to accelerate their path to production and deliver the applications and services that drive revenue. To that end, Kubernetes enables infrastructure and operations teams to automate application deployment and manage containers at scale. 

While Kubernetes offers tremendous benefits in the way of efficiency, portability, and flexibility, which can help speed time to market, there are many discrete items and processes that come with a steep learning curve. Cloud Native Runtimes included in Tanzu Application Platform takes the Kubernetes primitives and solves for the complexity by adding a layer of abstraction that simplifies the DevOps experience. 

Cloud Native Runtimes for VMware Tanzu is a serverless application runtime based on the latest Knative serving and eventing technology. Using focused APIs that provide higher-level abstraction for common use cases, Knative enables enterprises to stand up scalable, secure, stateless services in seconds. Pluggable components let you bring your own logging and monitoring, networking, and service mesh. You can run Knative anywhere Kubernetes runs, without worrying about being locked in to a single cloud. 

Cloud Native Runtimes in Tanzu Application Platform provides efficient workload scheduling and scaling with its scale-to-zero capabilities and auto-scaling primitives, meaning users can scale the number of pods up and down based on the incoming request rate. It simplifies the minutia of Kubernetes to a single “Service” manifest, allowing dev and app operator teams to focus on what matters: rollout, scaling, and, ultimately, delivering business value. With integrated traffic splitting and steering, it is safe to roll out an app in stages, building confidence in new versions for Blue/Green deployment or Canary rollouts.

The integration between Cloud Native Runtimes and TriggerMesh makes it easy to connect different types of applications to each other, regardless of infrastructure, leveraging the industry-standard CNCF CloudEvents spec. For example, TriggerMesh gives users a standardized mechanism for integrating AWS (and other cloud) events into an application through Cloud Native Runtimes Knative eventing, without the need to alter the application or write specialized code. 

The new beta release of Cloud Native Runtimes based on Knative 1.0 provides a simpler way to map custom domains to specific services (DomainMapping) with built-in support for provisioning wildcard certificates when desired. It offers tracing improvements to eventing, event delivery, eventing HA support, and improved RabbitMQ broker throughput to run and manage modern apps with ease and simplicity.

Enhance the developer experience with Tanzu Application Platform  

With Beta 4, now available, we’ve also updated Tanzu Application Platform by integrating the App Accelerator GUI within the platform to further simplify the developer experience. 

Application accelerators provide developers an easy way to bootstrap projects within their organization. Accelerators are embedded with best practices, security, and compliance guidelines and are typically defined by enterprise architects or operations teams. In this way, developers who are starting a new project do not need to start from a blank page. Instead, developers can select from a list of existing accelerators from the Tanzu Application GUI, and iterate on code using Tanzu Application Platform tooling.  

The App Accelerator GUI as displayed in Tanzu Application Platform Beta 4

App Accelerator GUI

The experience of authoring accelerators has been made more efficient by eliminating the need to commit to a code repository during the accelerator development cycle; instead, accelerator authors are able to iterate in the local file system. 

Learn more 

Download the latest Tanzu Application Platform Beta 4 release to try out supported serverless capabilities on Kubernetes through Cloud Native Runtimes. Check out the App Accelerator integration for enhanced user experience and productivity. Or contact your VMware sales rep for more information. 

Previous
Automatically Manage DNS for Kubernetes with ExternalDNS and Tanzu Mission Control Catalog
Automatically Manage DNS for Kubernetes with ExternalDNS and Tanzu Mission Control Catalog

This guide shows how to deploy the ExternalDNS plug-in via Tanzu Mission Control Catalog for use with AWS R...

Next
Open Source FOMO? Not with Tanzu Application Platform
Open Source FOMO? Not with Tanzu Application Platform

A look at the open source software behind VMware’s Kubernetes-based application platform.

SpringOne 2022

Register Now