Raquel Godoy and Victoria Ponce Sequedo contributed to this blog post.
Open source software (OSS) applications are at the heart of modern software development processes due to the variety of benefits they offer. At the same time, it is hard to ignore the increased security and compliance risks they can introduce.
Recent industry research conducted on 1,700 codebases across 17 industries indicated that 96 percent of codebases contained OSS and 84 percent contained at least one vulnerability. As a result, businesses around the world are tightening up their security policies to minimize the risk. So, to help customers enhance their compliance posture and better address the security risks posed by OSS, VMware is launching a new security-focused subcatalog within VMware Application Catalog, which will be the recommended option for customers looking to procure OSS with minimal common vulnerabilities and exposures (CVEs).
What is VMware Application Catalog?
VMware Application Catalog is the enterprise edition of the open source Bitnami Application Catalog. VMware Application Catalog is a comprehensive catalog of 100+ popular OSS applications, all of which are continuously maintained, securely packaged along with their dependencies, and privately delivered as ready-to-deploy artifacts to customers. The back-end pipelines of VMware Application Catalog and the open source Bitnami Application Catalog continuously pull upstream and trigger a new build whenever a new version of an application in the catalog is available. Over the past several years, by ensuring that our catalogs are continuously updated, we have been able to deliver fixes for many vulnerabilities in OSS components even before CVE scanners detected the vulnerabilities. As we continue to build upon our industry-leading packaging and upstream monitoring capabilities, we are happy to announce the launch of a new security-focused subcatalog within VMWare Application Catalog.
The new security-focused subcatalog of VMware Application Catalog
The security-focused subcatalog of VMware Application Catalog is a newly built subcatalog of OSS applications within the product designed to help customers procure OSS with minimal CVEs; gain strong, actionable visibility into potential vulnerabilities; and achieve an improved compliance posture.
OSS applications in this subcatalog retain the inherent features and benefits offered by VMware Application Catalog. They are all securely packaged along with all their dependencies, then privately delivered as fully functional, production-ready artifacts to customers.
It is available to all customers of VMware Application Catalog at no additional cost.
Keep reading to learn more about the features and benefits of the new security-focused subcatalog within VMware Application Catalog, as well as how to build your images using it.
Minimal CVEs and faster response time
VMware Application Catalog offers third-party-maintained Linux distributions, such as Red Hat Universal Base Image, Ubuntu, and Debian, as well as VMware’s Photon OS as the base operating system (OS) options. This enables customers to choose their preferred Linux distribution as the base OS image according to their internal enterprise policies.
If the upstream vendor of an OSS application in VMware Application Catalog releases a security patch, it’s important that all the vulnerability fixes in that patch are included in the base OS image as well. Otherwise, the OSS application could still remain unsecured despite the availability of a security patch. As VMware does not exercise control over the security fixes and vulnerability responses of third-party Linux distributions, we cannot ensure that the OSS applications built on top of those third-party Linux distributions contain all available vulnerability fixes.
Since Photon OS is a VMware-maintained project, we have the control we need over security fixes and vulnerability response. Photon OS is also a lightweight distribution with fewer dependencies compared to other distributions, and fewer dependencies typically mean fewer possibilities of security vulnerabilities. In addition, Photon OS has a history of good maintenance and minimal known vulnerabilities—so much so that a couple of years ago, when VMware Application Catalog started supporting Photon OS 3.0, we needed to clarify in our documentation that the CVE scan reports showing zero CVEs for applications built on top of Photon OS were not due to a mistake or a bug.
For these reasons, Photon OS is the officially recommended option for customers who desire zero CVEs, and it is used as the base image for the security-focused subcatalog in VMware Application Catalog. However, to offer our customers the flexibility to use the base image of their choice, VMware Application Catalog provides the latest versions of above-mentioned third-party Linux distributions (in addition to Photon OS) as base image options.
Security advisories for existing CVEs
Photon OS, in combination with VMware Application Catalog’s continuous upstream monitoring mechanism, can get you close to zero CVEs, and for some applications, we might even get an actual zero CVE report from CVE scanners. But invariably, vulnerabilities will appear sooner or later. To better deal with these vulnerabilities, the security-focused subcatalog of VMware Application Catalog will come with Vulnerability Exploitability eXchange (VEX) documentation in the OASIS standard Common Security Advisory Framework (CSAF) format.
VEX is a concept developed as part of the National Telecommunications and Information Administration (NTIA) Multistakeholder Process for Software Component Transparency. Our team of experts works behind the scenes to analyze new CVEs affecting the applications in VMware Application Catalog and to provide assessment details, vulnerability status, and remediation actions as part of VEX documentation. This is designed to help our customers gain actionable visibility into their upstream vulnerabilities, assess the true risk posed by each of them, and optimize their security decision-making processes. Read more about VEX in VMware Application Catalog.
FIPS compliance
Federal Information Processing Standards (FIPS) are United States government security standards specifically focused on data encryption, and they are a key requirement for U.S. government agencies, contractors, and any third party working with federal agencies. For any OSS application to be compliant with FIPS, at minimum the base image on top of which it is built needs to support FIPS.
Photon OS, the base operating system for the security-focused subcatalog in VMware Application Catalog, supports FIPS. We have identified and labeled those OSS applications whose upstream vendor supports FIPS 140-2 compliance and are built with Photon OS. So, customers who want to achieve FIPS 140-2 compliance can readily identify OSS applications that have checked off two of the FIPS compliance requirements. Read more about achieving FIPS 140-2 compliance with VMware Application Catalog in our documentation.
Verified for air-gapped deployments
Businesses operating in highly regulated environments often prefer having their software run in air-gapped environments for additional security. Applications in the security-focused subcatalog of VMware Application Catalog are verified for functionality in air-gapped environments. Thus, customers seeking air-gapped deployments get verified, ready-to-use OSS applications from our security-focused subcatalog.
Multi-arch images
Users of VMware Application Catalog typically get container images in the AMD64 format for all base OS options. However, the container images delivered as part of the recommended subcatalog will be multi-arch, supporting ARM64 architecture as well as AMD64. This means that container images from the security-focused subcatalog of VMware Application Catalog can be deployed as ARM64 or AMD64, depending on the architecture of the platform on which they are deployed into.
Get started with the new security-focused subcatalog
With the above-mentioned new capabilities and the additional focus that we are giving to the security-focused subcatalog, we aim to help our customers better address the security and compliance concerns associated with OSS and promote sustainable open source adoption. So how can you get started?
Customers can opt to get OSS applications from the recommended security-focused subcatalog of VMware Application Catalog by following these two simple steps when adding new applications.
1. Choose the Custom option while selecting the configuration for your new applications.
2. Choose Kubernetes as the deployment platform, and select Photon OS 4.0 as the base image.
After this, complete the remaining steps involved in adding new applications as usual to take advantage of the features mentioned above as part of our security-focused subcatalog.
Learn more
This white paper has more information about the security measures in VMware Application Catalog. To learn more about VMware Application Catalog in general, read the product webpage, Tech Zone page, technical documentation, or the resources page, or write to us directly at [email protected].
Read about all of the announcements coming from the VMware Tanzu team at VMware Explore 2023.
This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.