Defining, building, and delivering a secure software supply chain is challenging for many organizations. Software builds utilize many open source components, and the vast landscape of cloud native developer and platform tools grows more extensive and more diverse every day. Developers, operators, and security teams must work together to ensure software is delivered swiftly and securely to meet business and customer desires. This often means finding a way to reconcile security team goals and developer needs to establish a productive environment.
In this episode of Cloud & Culture, Danielle Burrow and Derrick Harris spoke with John Kjell and Alex Barbato of VMware Tanzu about what it takes to build an internal secure software supply chain. We cover tooling as well as the organizational shifts that lead to a more cohesive DevSecOps practice. You can listen to the full discussion in the player. Read on for some highlights.
Use the right tools to shift security left without friction
So, who is ultimately responsible for implementing and maintaining a secure software supply chain? While application developers have traditionally been left out of security implementation in the development process, organizations are trending more and more toward a shift-left mentality, with developers sharing more responsibility for the security of their code. Providing tools that help developers take a stronger security posture and automate security tasks is key to a shift-security-left strategy. As John Kjell explains:
“When we say shift left, we're not asking developers to become security experts….
“What we need to do is enable them to have the tools to do that job with less information. And from an organizational standpoint, that may mean that you not only just shift the responsibility left, but other people. If you’re increasing the efficiency of doing these things, hopefully, that allows some resources to take some security people, embed them with the engineers and the teams developing the software so that they can really understand the results of a scan report or different problems [you’re trying to solve] by shifting those responsibilities left.”
Kjell says that some of this can be accomplished by utilizing tooling like VMware Tanzu Application Platform, which eliminates toil by automating many of the tasks that make software more secure by design:
“One of the things that we’re doing specifically in Tanzu Application Platform with the supply chain choreographer and the open source project behind that, Cartographer, is this is a system that allows us to compose these supply chains…. We’re specifically building tools to do things like sign container images and verify them when they run in production so that you're running what you actually think you deployed… being able to easily integrate things like vulnerability scanning of your source code and your container images from your registry. All of those things we have as the building blocks and then [allow] you to take your own build system and plug that in, your own test frameworks and plug those in so that you can connect this entire process of going from source code to an application running in production."
Of course, implementing tooling and involving developers early in the process is only part of the battle. Organizational changes are required to truly adopt a security posture that delivers secure software to customers. As Alex Barbato says, adopting a team of teams structure that offers continuous feedback can help enable teams to move faster with purpose:
“One thing we see in a lot of our engagements with the federal government is really trying to adopt … the team of teams model. And that's something that we've really started to try to encourage our customers to embrace. If you have this command structure, [people build things because they were told to] versus a continuous feedback loop of people that are enabled to make decisions…. I think what we always stand firm on is you’ve got to have teams that are enabled to talk to their users and make relevant decisions….”
Hear more of John’s and Alex’s thoughts on the process of building secure software rather than buying it, along with examples of tooling like Tanzu Application Platform, which can help automate some of the tedium for developers, operators, and security teams in this episode of Cloud & Culture.
Learn more
Is Software a Thing You Buy, or a Competency You Grow?
VMware Tanzu Labs Product Manager Playbook
11 Recommended Security Practices to Manage the Container Lifecycle