Testing is the foundation of software quality, and shift-left testing is the key to getting your applications online on time. This article explains why VMware Tanzu Application Platform is an excellent solution to help developers deliver high-quality software.
In the past, when working on an application software development project, those involved would tend to focus on the three areas of scope, budget, and project timeline. But Murphy's Law is always at play, and the issues described in The Mythical Man-Month by Fred Brooks are inevitable.
Usually, a large amount of time is spent discussing requirements, which takes a significant amount of time away from the development stage. Even though the system design is thoroughly discussed and developed, developers are still put under pressure by the project schedule, so the testing step is often omitted. Because of this, it is only at the production stage that the team learns that the application fails to accomplish the original design goals or does not meet the customer's requirements. Additionally, at this point it’s brought to light that the source code has not been written, or that the framework is not present. This poses a security risk, and ultimately causes the entire project to be delayed.
Eventually, the system goes live after a bumpy development process, which is immediately followed by a series of bug fixes, feature additions, and modifications—all of which should have been thought of during the initial project planning but were not considered.
This system has been used and maintained over many years and has seen multiple developers come and go, but has long since deviated from its original design. Furthermore, without good architectural design and testing incorporated from the beginning of the project, the developers do not have sufficient confidence or the extra time needed for refactoring, making the maintenance of the system increasingly difficult and slowing down the iteration rate. The whole system thus becomes chaotic, which coincides with the entropy law of thermodynamics: "Every system goes from order to disorder and becomes more and more chaotic and irreversible."
Michael C. Feathers, author of Working Effectively with Legacy Code, describes a legacy system as a system without test support (protection) that needs to be improved. This proves the importance of testing—a process that is lacking in traditional application development.
The aforementioned traditional waterfall project management approach is riddled with problems and has led to the emergence of agile development thinking, which promotes testing first, incremental development, and early deployment. This concept has changed the way we develop software today.
Nowadays, most of the time and effort spent on testing at each stage of development can be categorized in the inverted triangle on the left of the figure below. Unit testing takes very little time, while system integration testing (SIT) and user acceptance testing (UAT) require more work to complete. It is easy to understand why, as once the system enters the SIT or UAT testing phases, it needs to be connected with other systems, which requires more time to find the problems. During feature correction, the system asks other neighboring systems to cooperate with the team—only then can it be redeployed for testing.
In contrast to all of the issues mentioned above, if more time and effort are put into unit testing, a great deal of SIT and UAT work can be avoided.
If you expect the system to respond quickly to changes in requirements and also expect to have accurate and high-quality source code, you must constantly refactor to clean up source code. Additionally, you have to use test-driven development to give developers and business stakeholders more confidence in the applications and services that are launched. All are necessary steps that create positive cycles.
An engineering practice management approach to agile development
We use simple methods to take applications from development to release, and they are divided into two phases: iterative development and live deployment.
During the first development phase (which is the step that developers should mainly be focused on) system specifications and features required by the customer should be met. If developers are to be able to meet the requirements of an agile team, VMware Tanzu Labs recommends that its customers adopt an open mindset that is willing to share, a close teamwork approach, and self-discipline.
Test-driven development (TDD) is a software development approach that looks at production code from the perspective of test code. It follows the principle of simplicity by taking the requirements of the test cases into account without first considering architectural issues down the line. The key objective is to meet the test conditions by repeatedly going back and forth from test code to production code in a cycle of red light, green light, and refactoring.
Since test code is protected, we can implement one of the ideas in Martin Fowler's book Refactoring, which states that "the refactoring of a system begins when the first source code is written and ends when the system is deactivated." This approach largely avoids the aforementioned law of entropy and facilitates the development of production code that is easy to test and maintain.
In contrast to the rigid and unmaintained specifications written in the past, the test cases in this process become executable products. By following this approach, developers avoid the problem of changing A and impacting B during the development process and ensure the correctness of the system. This allows continuous integration and continuous delivery in agile development, as well as cloud native concepts executing quickly and with confidence.
The agile development methodology, whether iteration via extreme programming (XP) or scrum sprints, requires small incremental steps and rapid iterative pushes to the production environment to complete the customer-required features and achieve business value. This requirement is the second phase of application development and launch. The beginning of this phase is continuous integration, which covers the scope of source code integration, testing and scanning, as well as image generation in cloud native technology. Continuous integration is followed by mirror scanning and signing and finally, storage in the mirror repository before final deployment.
These processes must be jointly formulated and built by the security, operations and maintenance, and platform teams (according to organizational requirements), and made available to the developers. For the sake of efficiency and to reduce errors due to human intervention, these processes must be automated. However, quality control can also be enforced in accordance with management and security requirements, giving those responsible for quality the opportunity to make final confirmations before deploying to UAT or production environments.
All of these work tasks can be found in the ecosystem hosted by the Cloud Native Computing Foundation, which allows users to find the right tools for their business needs; however, it is difficult to choose a stable and reliable open source tool.
In addition to the need for security, operations and platform teams having to do their own assessment, build, testing, and management makes finding the right tool seem even more difficult.
VMware Tanzu Application Platform and supply chain security tools
VMware Tanzu Application Platform is a series of technology stacks with a design based on the experience VMware has accumulated through many years of assisting enterprise customers in their digital transformation efforts.
As previously mentioned, the purpose of the development iteration and live deployment phases (referred to here as inner loop and outer loop) is to improve the productivity of development and operations teams, the observability of the container platform, and the security of applications and containers after deployment to Kubernetes.
For both inner loop and outer loop, Tanzu Application Platform is based on the framework of a supply chain choreographer. Depending on the different requirements and architecture design of the two phases, you can choose a single cluster or multiple clusters with individual responsibilities, such as iterate, build, stage, and production.
Along with VMware Tanzu Build Service, Anchore’s Syft and Grype, and other technologies, the supply chain security tools can significantly reduce the burden of setting up and managing the teams involved in the outer loop process.
Outer loop includes security-related technologies such as scan, store, and sign. Scan includes source code scanning and container image scanning; and after scan, store is used to record the relevant packages used in the software metadata; then sign is used for the container security signature.
Here are a few key points to help you understand each phase:
Source scan and image scan
Tanzu Application Platform uses Anchore Syft&Grype to scan the source code and packaged container images so that, in addition to testing in the first phase of the inner loop, testing can still be performed again in the second phase of the outer loop, which fully realizes the shift-left or shift-forward testing required in agile testing. Anchore Grype, which is used in Tanzu Application Platform, supports the software bill of material (SBOM) in CycloneDX format, leaving a broad range of options for future expansion. The following graphic illustrates its architecture and operation.
During the scanning process, an automated check and inventory will be conducted on the relevant frameworks and libraries used by the application, and the results will be recorded in the Tanzu Application Platform database and used as reference data for subsequent operations and maintenance to provide clues for quickly resolving problems in the event of a security omission.
Software metadata store
According to statistics, each system uses nearly 130 interdependent packages, 90% of which are open source software. Therefore, it is extremely important for enterprise customers to understand the status of these open source softwares and also be able to quickly respond to and resolve security concerns in the future.
Tanzu Application Platform comes with PostgreSQL for implementing the metadata store function, which is responsible for recording the results of the scan and the related packages used by the application. Today, Tanzu Application Platform can use insight command line interface and API to query the metadata store contents and provide users with complete reference information.
Querying container image metadata
Image build
Tanzu Application Platform uses Tanzu Build Service or kpack to provide a secure basic container image, Spring Runtime, OpenJDK, and support for various programming languages.
Using Tanzu Build Service not only saves the trouble of writing and managing Dockerfile, but the containers built through Tanzu Build Service are optimized to avoid the difference in technical standards (due to the Dockerfile being written by different technical staff). This also allows a standardized version of the base image and runtime for container management.
In addition, Tanzu Build Service can also sign the image, while the platform's security features allow you to filter out containers that are not recognized by the security signature, so as to meet the needs of security control.
Learn more
Today's enterprises need to contend with competitors not only from the same industry, but any company that operates across sectors with strong ambition and innovation. Therefore, in addition to innovation in your original domain, it is more important to make sure your IT can quickly respond to demand and provide innovative services in order to attract customers. As a result, IT has become a core competency for enabling enterprises to compete.
Additionally, in the developed environment of internet technology, the system on which the enterprise relies is highly likely to suffer from unknown attacks in an unexpected situation. In mild cases, the enterprise's reputation and credibility will be damaged, but in serious cases, it will cause immeasurable property damage.
Infrastructure building, software development technology, the deployment process, and even the improvement of information security should be a focus for enterprises and substantial resources should be invested in these goals.
Therefore, it’s clear that the entire lifecycle of applications—from development and testing, to deployment and operation and maintenance—needs to be reconsidered and checked at every level. This allows applications to be deployed rapidly and iteratively, and more importantly, prevents vulnerabilities and improves information security.
Such requirements demand a tool chain that is easy to build, use, and manage—a powerful asset for modern enterprises.
Tanzu Application Platform is a comprehensive set of tools for the application development lifecycle, including supply chain security tools. This feature allows development and operations teams to work individually, or in close collaboration, moving toward an efficient team that integrates development, operations, and maintenance.
The rapidly evolving supply chain security tools not only provide a standardized framework for security tool chains, but also leaves the door open for future expansions with arbitrary design architecture. In addition to enjoying an out-of-the-box technology stack for security application deployment, enterprises will be able to replace relevant tools and suites in the near future based on their needs.