In today’s fast-paced development landscape, building and deploying applications can often feel like a race against time. Many organizations still rely on traditional, do-it-yourself (DIY) approaches to application platforms. While this can offer extensive flexibility, it also presents a complex and often overwhelming challenge when it comes to delivering a robust security posture.
Imagine a scenario: Your team is alerted to a new, critical CVE. In a DIY environment, the immediate questions are daunting: Where did it come from? Which of our countless components are affected? Which applications need immediate attention? And most importantly, how do we fix it without breaking everything else?
Traditional vulnerability scanners, although useful, often provide a broad overview by scanning entire VMs or containers, lacking the granular detail required to identify the precise source of a vulnerability. For Kubernetes-based platforms, platform engineers often find themselves sifting through vast amounts of data from various components, struggling to attribute vulnerabilities to specific components, understand their impact on running applications, and devise effective remediation strategies. The result? Delayed patching, increased risk, and a constant state of reactive firefighting.
At VMware Explore earlier this year, Broadcom announced VMware Tanzu Platform 10.3, featuring unprecedented transparency into the impact of CVEs on Tanzu products and components within an environment, such as stemcells, buildpacks, tiles, and foundations. Tanzu Hub provides a centralized, intelligent platform interface that offers deep visibility into your applications and their components.
Here’s how Tanzu Vulnerability Insights helps solve these critical challenges:
- Precise vulnerability attribution – Unlike generic scanners, Vulnerability Insights helps you determine the exact components that are vulnerable and need patching. No more guesswork or chasing phantom issues across your infrastructure.
- Clear relationship to running applications – When a new version of a buildpack is released, it’s often a mystery which applications need to be restaged. Vulnerability Insights makes these relationships crystal clear, allowing you to more quickly identify and update affected applications.
- In-context triage – Tanzu provides in-house triage information, augmenting listed vulnerabilities with crucial context-dependent factors. This means you’ll know if a critical CVE “in the wild” is actually “Not Affected: Code not reachable” within your specific Tanzu Platform environment, allowing you to prioritize effectively.
- Streamlined upgrade and remediation – Beyond identification and assessment, Vulnerability Insights integrates with Upgrade Planner, providing clear upgrade plans for platform components and taking into account versions and compatibility. This offers a direct path to patching and remediating vulnerabilities.
Using the new Tanzu Vulnerability Insights dashboard, pictured here filtered by component for Stemcell, platform engineers can see the vulnerability impacts of in-use components.
Example use cases in action:
- Responding to a new critical CVE (e.g., Log4j):
- GUI – Use the search option in Tanzu Vulnerability Insights to quickly locate where the CVE might exist across your inventory. This includes tiles, foundations, and stemcells. Applications are easily identified by TPCF tile (stack component) and buildpacks, showing affected applications when you drill down into the component details.
- Managing 20,000+ CVEs:
- Goal 1 – Enumerate and identify patches: Export a list of all foundations/components and download CycloneDX SBOMs for all installed versions. This allows you to download a comprehensive list of all CVEs and then script through each CVE, searching the CycloneDX files for any instances.
- Goal 2 – More prescriptive upgrades: Focus on complex upgrades for stacks, buildpacks, or core Foundation Management components, with clear visibility into which CVEs will and won’t be addressed by specific upgrade plans.
It is essential to acknowledge that Tanzu Vulnerability Insights is designed to augment your existing security tooling, not replace it. It empowers platform engineers with the detailed, actionable intelligence needed to proactively manage vulnerabilities, reduce risk, and maintain a secure and resilient application platform. With API access to all dashboard information (additional API documentation is coming soon), you can also automate functionality and integrate it seamlessly with your other security tools, ensuring a robust and efficient security workflow.
Embracing vulnerability and security transparency within an application platform is paramount for cultivating a robust security posture. The Vulnerability Insights dashboard in Tanzu Platform empowers organizations to move beyond reactive firefighting, providing the granular visibility and actionable intelligence needed to proactively identify, triage, and remediate vulnerabilities with precision. This shift toward transparent and integrated security workflows not only reduces risk but also streamlines operations, ensuring applications remain secure and resilient in a rapidly evolving threat landscape.
Check out the full Tanzu Vulnerability Insights demo here:
Want to go deeper and see the Tanzu Vulnerability Insights dashboard in action? Check out this recent Cloud Foundry Weekly episode where we dig in and explain what Tanzu Vulnerability Insights dashboard means for real workloads!
For more information on Tanzu Platform, customers can visit our website or reach out to their sales team.
