This post was co-written by Tiffany Jordan and Tazin Progga.
VMware Tanzu Application Platform is a modular, application-aware platform that gives developers a prepaved path to production for building and deploying software on any compliant public cloud or on-premises Kubernetes cluster. Designed to deliver a superior and secure developer experience, it makes the software supply chain even more secure with a suite of features, including vulnerability scanning, a software bill of materials, and image signing, and more.
An introduction to software supply chains
The simplest way to think about the supply chain for any given widget is to break it down into three parts: inputs, processes, and outputs. Inputs are the raw materials that go into making the widget. Processes are all the activities performed to turn the raw materials into a widget that customers want to buy, including its distribution. Lastly, outputs represent the final product.
Let’s draw a parallel to this for software development. In the software supply chain, the inputs are the code a developer writes coupled with the third-party dependencies or services they rely on. Those inputs are passed through a series of activities that may include building container images, performing some tests, and promoting the build to different environments, eventually releasing the finished product or feature to customers.
Visualizing the software supply chain
Looking at these activities in a linear flow is helpful. However, we know the Day 2 experience is equally as important as the first release. We need to think about the software supply chain as a cycle, and we need to continuously monitor the state of running software. Across this supply chain, there are multiple potential vectors of attack to consider, as captured in the diagram below. According to Sonatype’s 2021 State of the Software Supply Chain report, there was a 650 percent rise in software supply chain attacks in 2021, compared to a 430 percent rise in 2020.
Vectors of attack across the software supply chain
When writing source code and integrating third-party dependencies, vulnerabilities could exist or, more generally, malicious code might be injected, potentially due to compromised credentials. Upstream dependencies can compromise your build system, and new, unpatched vulnerabilities can exist in your repositories. When releasing software, a bad actor could bypass parts of your CI/CD pipeline to release a change. Not to mention new vulnerabilities will keep emerging that need constant monitoring and patching. There’s no perfect solution for securing your software supply chain, but there are things you can do to increase your security posture and alleviate friction before you release.
VMware Tanzu Application Platform’s approach
As the container ecosystem at every organization grows and becomes more complex, we know that investments in securing the software supply chain will be critical. As such, Tanzu Application Platform is designed to support customers by focusing on three key areas:
Shifting security left – Tanzu Application Platform includes security practices such as vulnerability scanning and software bill of materials generation earlier in the path to production for application teams. The goal is to reduce friction at the time of release by performing some release readiness activities earlier and more regularly, so they are less of a bottleneck in the final push to release. These activities also contribute to ensuring the DevOps team knows and trusts the “inputs” to your software supply chain.
Automating manual activities – Scanning, signing, patching, and inventorying dependencies are less error-prone and are built into the platform experience. By introducing support for these activities in supply chain templates, we hope to alleviate some of the upfront cost associated with getting these tools introduced.
Introducing security guardrails – Policies can be set upfront for a cluster or set of clusters to surface unsigned images or critical vulnerabilities and prevent those images from running.
Tanzu Application Platform is a one-stop shop for automating and securing your software supply chain, beginning with the inputs to your software (source code, third-party dependencies, and services), through the processes used to build, scan, and test workloads to an end-state, running workload. The provided default supply chains (powered by Tanzu Supply Chain Choreographer) minimize the setup effort required and introduce consistency and security to teams’ path-to-production activities. Here’s a demo of one of the supply chains in action.
Leading capabilities in Tanzu Application Platform
Tanzu Application Platform includes exciting new security features that make it faster and easier to increase the security of a software supply chain across various dimensions, captured in the diagram below. These features are available in the out-of-the-box supply chain with scan/test, or they can be downloaded and installed independently.
Security features supported in Tanzu Application Platform
Application operators can introduce source code and container image vulnerability scanning using the default scanner, open source project Grype, as well as scan-time rules in their Tanzu Application Platform supply chain. The scan-time rules, powered by Open Policy Agent, can be used to prevent critical severity vulnerabilities from flowing through the supply chain undetected and unresolved.
Software bill of materials
Trust is an important characteristic of the software supply chain. One of the ways to increase trust in a given artifact is to understand what went into it: consider its inputs and where they came from (their provenance). This is where a software bill of materials (SBoM) comes into play. While this has been a hot topic for the past year, it’s not entirely new. We’ve inventoried projects for dependencies for years in order to ensure open source license compliance.
To help customers automate this process, VMware Tanzu Build Service, leveraging Cloud Native Buildpacks, automatically generates an SBoM for Java- and Node.js-based projects. Since this SBoM is generated during the image building stage, it is more accurate and complete than one generated earlier or later in the release lifecycle. This is because it can highlight dependencies introduced at the time of build that could introduce potential for compromise.
Image signing and policy enforcement
Cryptographically signing an artifact (for example, a container image) creates metadata that people or systems can use to verify its origin and integrity. Tanzu Build Service v1.3 includes a kpack/cosign integration that allows users to configure their build system to sign container images at time of build. The signatures created will also persist as you relocate an image from one registry to the next, which is important in many use cases, including edge.
When installing Tanzu Application Platform’s full profile, you will deploy the image policy webhook. This webhook allows operations teams to create policies requiring container image signatures to be verified prior to being run. By verifying signatures on artifacts prior to their deployment, app operators can increase their confidence that any running containers are from a trusted source. It’s one of the ways that Tanzu Application Platform embeds security guardrails in the software development lifecycle.
After scans are performed, the results are automatically stored in the Tanzu Application Platform metadata store, otherwise known as the Supply Chain Security Tools Store component. This provides storage of scan results, with the ability to query relationships between vulnerabilities detected and their impacted repositories, packages, or images. You can use the Supply Chain Security Tools Store to find the correlations and answer questions such as “What Common Vulnerabilities and Exposures (CVEs) were found on this commit?” or “What images or repositories have this CVE impacting them?”
You can also customize your usage of the metadata store outside of the Tanzu Application Platform supply chain and upload SBoM data here from other sources to enhance querying coverage across packages and images running on your platform. The demo below shows the metadata store in use.
This is only the start of our supply chain security journey in Tanzu Application Platform. We see so much potential in this space for the future as the container security industry matures and new open source technologies advance. Interested in connecting more on this topic? We’d love to hear from you. Contact your VMware account team, or visit the Tanzu Application Platform resource page.