Written by Lloyd Woodroffe and Ryan Baker
VMware Tanzu Application Platform is an end-to-end integrated platform that enables companies to build and deploy more software, more quickly and securely, through pre-paved, customizable golden paths—all on any public cloud or on-premises Kubernetes cluster.
Tanzu Application Platform 1.8, available today, continues its mission to boost your security posture with minimal toil while increasing developer and platform engineering team productivity.
Preventing your software supply chain from become a security statistic
Software supply chain attacks are growing at an alarming rate. Based on the Sonatype annual report for Software Supply Chain security, just in 2023 there were two times more malicious packages discovered than within 2019-2022 cumulatively. Highly visible attacks on organizations like Solarwinds and CodeCov had prolific reach and has placed the spotlight on supply chain security. With the release of Tanzu Application Platform 1.8, we are happy to announce several capabilities to help you improve the security posture of your path to production.
Assurance that your security posture remains intact with SLSA and Secure Builds
We recognize the growing challenges enterprises face in securing their software development and deployment processes. With the accelerated adoption of open source software and the increasing sophistication of cyber threats, a proactive approach to security is more critical than ever. With Tanzu Application Platform 1.8, we're proud to introduce support for Software Supply Chain Levels for Software Artifacts (SLSA) Level 3. SLSA is a framework designed to enhance the security and trustworthiness of software supply chains, and achieving Level 3 represents the highest level of security assuredness.
Tanzu Application Platform 1.8 support for SLSA Level 3 is a proactive step in accelerating security best practices, providing our users with the tools and capabilities needed to stay ahead of evolving security threats.
To align with the principles of SLSA, the Build Service on Tanzu Application Platform enables provenance validation of the build process.
Tanzu Application Platform Build Service achieves SLSA Build L3 by inherently supporting hardened builds that operate independently. This eliminates the risk of malicious actors tampering with builds or one build affecting another, thereby delivering a more secure and reliable software supply chain.
That is in addition to support for SLSA Build L1 and L2. For SLSA Build L1, the Build Service validates the build provenance by generating in-toto attestations for images through kpack, and pushing these attestations to the OCI Registry alongside the built image. For SLSA Build L2, the Build Service signs the generated attestation, providing an added layer of integrity verification.
Helping you detect and prevent security impacts through detection and auto-remediation of vulnerabilities
Did you know that, according to the CVE database, in 2023 there were an average of 79 new CVE’s reported a day? That is up from 68 CVE’s a day in 2022, and that trend looks to continue in 2024. Detecting and remediating these vulnerabilities is critical to maintaining your organization's security posture. However, with vulnerabilities being reported at this alarming rate and showing no signs of slowing down, this can place a huge burden on development and operational teams.
Tanzu Application Platform 1.8 introduces several new capabilities to help you stay on top of these threats including automatic dependency and base image updates, periodic scanning of workloads for vulnerabilities, and a simplified vulnerability experience in air-gapped environments:
Automatic updates of buildpacks and stacks
Tanzu Application Platform leverages Cloud Native Buildpacks as its containerization engine to remove the need for developers to manage a Dockerfile and allows operators to ensure a consistent build experience across their development teams.
Tanzu customers can rely on Buildpacks to provide the language and runtime dependencies as well as the Stack for the base image to build an application image, removing this burden from developers.
As part of Tanzu Application Platform 1.8, customers can opt in to having their buildpacks and stacks automatically upgraded when new patch versions are released. When combined with the automated rebuild feature in the Build Service, this automation ensures that application images are built using the latest available buildpacks and stacks, and minimizes the CVEs that are found in the layers of the resulting application image.
In addition to automatic buildpack updates in Tanzu Application Platform 1.8, Customers can also leverage the newly introduced Red Hat UBI support in the Build Service. This means that Tanzu Application Platform users who may be interested in UBI due to OpenShift adoption, or preference for its security posture, can now leverage this flexibility to choose to build their apps using either Ubuntu 22.04 or UBI 8 for with the Java and NodeJS buildpacks.
Detect Newly Reported Vulnerabilities in Workloads
Each newly reported vulnerability presents a risk to your organization and it is important that the security posture of container images are evaluated frequently.
Tanzu Application Platform 1.8 ensures that any newly reported vulnerabilities are identified quickly by enabling periodic scans of container images. By rescanning the images frequently, application teams can have up-to-date security posture and mitigate security exposure of running applications due to new vulnerabilities, proactively.
With this capability, Tanzu Application Platforms maintains the security posture of applications throughout their lifecycle by initially scanning images during build time and subsequently rescanning the built images, periodically.
Streamlined Vulnerability Scanning for AirGapped Environments
With Tanzu Application Platform 1.8, we have optimized the air-gapped experience for image vulnerability scanning by making Aqua Trivy our out-of-the-box recommended scanner for air-gapped based installs.
By leveraging Aqua Trivy, users will be able to host and maintain vulnerability databases within their already existing container registry, eliminating the overhead of the web server. This greatly simplifies the installation and operations experience of running Tanzu Application Platform in an air-gapped environment.
Meeting your developers where they’re at
As part of Tanzu Application Platform 1.8, we have also introduced many new features that enhance the Developer Experience and allow them to work in a way that suits their needs.
Tanzu Developer Portal with enhanced Plug-Ins
Tanzu Developer Portal is an internal developer portal, built on Backstage, that simplifies how enterprise software organizations coordinate, collaborate, and execute across multiple teams and business units. The latest Tanzu Application Platform release has enhanced Tanzu Developer Portal’s third party and custom plugin experience.
In Tanzu Application Platform 1.8, Tanzu Developer Portal has improved on its approach for utilizing 3rd party plugins allowing Platform Engineers to offer a wide variety of plug-ins from the backstage community. Additionally, we have updated our DORA plug-in to allow for customization in choosing your environments and setting your date ranges.
Expanding our Self-Serve Data Services on Tanzu Application Platform
With Tanzu Application Platform 1.8, we have expanded our Services Toolkit offering with Amazon Web Services (AWS) RabbitMQ allowing you to Dynamically Provision and use AWS RabbitMQ with your applications.
AWS RabbitMQ joins the list of readily available services you can use on Tanzu Application Platform 1.8 and provide to your Application teams with the data services they need in a self-service manner. Service Operators can also curate their own service templates
Enhanced Accelerator Authoring Experience
Application Accelerator enables organizations to provide curated starter templates to application teams for fast bootstrapping of new applications and ensure that best practices are followed consistently across teams right upfront. Tanzu Application Platform 1.8 enhances the accelerator authoring experience by providing full local authoring capability; accelerator authors are not required to connect to a Tanzu Application Platform cluster and can perform authoring and testing of accelerators on their laptop using VSCode IDE and accelerator engine running locally. The authoring iteration cycle becomes much faster with a full local authoring experience and eliminates the need to grant access to a Tanzu Application Platform cluster to accelerator authors.
Tanzu Application Platform 1.8 now supported with TKGi
Tanzu Kubernetes Grid Integrated is now fully supported with Tanzu Application Platform. This is a critical step towards a more tightly integrated Tanzu portfolio and a particularly important enhancement for customers who are looking to accelerate application delivery on Kubernetes with ingrained security and scalability. Practically, this means that Tanzu Kubernetes Grid Integrated can be used with Tanzu Application Platform to establish faster and more secure paths to production. More information on this exciting announcement can be found here.
Learn More
Visit the Tanzu Application Platform page to explore how our product can help your organization deploy software more efficiently and securely. If you are getting started with Tanzu Application Platform, the Tech Zone page is your one-stop-shop for technical content and education.