Gain Insights into the Risks You Face from Open Source Dependencies with VMware Tanzu OSS Health Assessment

Open Source Software (OSS) components are pretty much an indispensable part of today’s software development process. However, as OSS use grows, so does the threat landscape and the potential for exposure to security risks. But, often we find enterprise IT teams are unaware of the OSS footprint in their environment, which leads to a very limited idea of the OSS used by their developers and how secure or risky they are. 

To help you get a clear picture of your OSS supply chain and the risks you face from your open source software dependencies, we have launched the VMware Tanzu OSS Health Assessment.  In this blog, we will dive into what the VMware Tanzu OSS Health Assessment is, and how you can realize its benefits.

What is VMware Tanzu OSS Health Assessment?

VMware Tanzu OSS Health Assessment is a freely available tool that helps you gain an in-depth understanding of your OSS dependencies and their impact on your security and compliance posture.

The tool can be used to analyze your Kubernetes clusters, local folders or repositories with Helm charts, YAML files, and public container images stored in open repositories, such as DockerHub, or locally in private repositories.

After analyzing the resource you choose, the tool generates a report with details on all potential misconfigurations and security vulnerabilities that put you at risk, along with a list of applications from VMware Tanzu Application Catalog that could be of help to you in improving the security of your software supply chain.

Let’s look at each major section presented in the report.

Overview section

The Overview section shows the number of Kubernetes resources and container images analyzed by the tool with an interactive graphical overview of all key findings of the report, followed by the compliance score of your Kubernetes resources per standards that include MITRE, CIS, SOC2, and NSA. This section also provides an estimate of the developer hours and costs you would incur if you chose to fix all these misconfigurations and vulnerabilities on your own.

^{Overview section of the VMware Tanzu OSS Health Assessment Report}

Misconfigurations section

The Misconfiguration section lists the controls that your Kubernetes resources fail to pass, detailing severity levels, steps for remediation, and how VMware Tanzu Application Catalog can provide assistance.

The OSS Health Assessment identifies misconfigurations in your OSS dependencies by comparing the configurations of the OSS in your environment to standard security practices. The tool leverages Kubescape–an open source Kubernetes security platform–taking the best practices codified as controls by Armo as a reference. These controls are preventative, detective or corrective measures that can be taken to avoid, or contain, a security breach. Examples of misconfigurations reported include allowing privilege escalation rights to applications that do not need it, providing root privileges to applications that do not need it, blocked ingress and egress, and more.

^{Misconfigurations section of the VMware Tanzu OSS Health Assessment Report}

Security vulnerabilities section

This section provides a list of all vulnerabilities present in the analyzed open source container images and the severity levels of each of those vulnerabilities. By further exploring this section, you'll find a list of all the CVEs detected as well as links for detailed information.
 

^{Security Vulnerabilities section of the VMware Tanzu OSS Health Assessment Report}

VMware Tanzu Application Catalog supported images section

Based on the OSS you use, the report shares a list of equivalent applications that you could start using from VMware Tanzu Application Catalog, and a high-level estimate of the cost savings you could incur by doing so (see the Overview section).  In addition, if the scan identifies that your current container is running on an older version than what's available in VMware Tanzu Application Catalog, it presents a list of proposed versions available in the catalog.

This helps you to understand if, and how, there is an opportunity for you to benefit from VMware Tanzu Application Catalog.
 

^{VMware Tanzu Application Catalog supported section of the VMware Tanzu OSS Health Assessment Report}

To see how a complete report will look like, click here.

Next steps

The OSS Health Assessment can help you effectively identify, remediate, and mitigate risks in your application by making you aware of the potential vulnerabilities and misconfigurations that exist in the OSS your developers use.

Ready to secure your OSS supply chain?  Try the free OSS Health Assessment today.

About the Author

Bala Bharathy U is part of the product marketing team of VMware Tanzu, focusing on VMware Application Catalog and VMware Image Builder. He started his product marketing career in 2020 and has since worked on products across multiple tech domains, including virtualization, security, remote access, and application modernization.

More Content by Bala Bharathy U