App Dev3 min read

Modern App Delivery Requires a Continuous Approach to Security

Purnima Padmanabhan
Tanzu-Modern App-Security

At the Tanzu Division of Broadcom, we focus on how our customers can get the most out of cloud native environments while protecting against the slew of new vulnerabilities and attacks targeting their critical business apps. As important as prevention is, reducing the time it takes to recover from a breach or other issues is just as critical, if not more. This is particularly important for our customers functioning in highly regulated industries who have to keep up with continually changing security, privacy, and compliance requirements. 

We’ve found that the best way to secure large and diverse application estates is to  integrate security-enhancing capabilities and processes throughout the entire application dev and delivery cycle. This means approaching security as an integral and continuous part of the cycle. In working with our many global customers, we recommend the following best practices for a continuous approach to security:

Weave security in all your processes

Adding security earlier in the app dev and delivery cycle is widely recognized as a best practice. However, sometimes it is not enough. Over the years, we have seen that attack vectors are targeting multiple phases of the software delivery cycle, and in some cases, shifting security left has come to mean shifting security decisions on to developers. This undue burden can become disruptive and slow down the app delivery process. With cyberattacks hitting various aspects of the software supply chain, it is imperative to make security an integrated aspect of the software delivery lifecycle. 

With this in mind, we designed Tanzu Platform to make security easy, while also reducing friction between dev and platform teams. We do this by allowing for separation of concerns and enabling golden paths curated by the platform engineering team. Tanzu Platform also supports patterns and technologies made popular by Spring Framework, leveraging the Buildpacks model, and the incredible Bitnami software catalog on which Tanzu Application Catalog is based. 

Turn on your automation superpower

Infusing policy-based automation into your application platform is one of the best ways to enforce and scale security policies. Platform engineers need to partner with security and compliance teams to create policies based on changing industry guidelines, vulnerability threat level, audit requirements–just to name a few. Doing this reduces friction in the app dev and delivery process, increases security and compliance leaders’ peace of mind, and empowers platform engineers to deliver a secure and frictionless path to production that ultimately yields value-generating innovation.    

Adopt a “continuous upgrade” culture

Security is not a one-time thing. Infrastructure needs to be secure by design and continuously updated. Introduced several years ago, the 3Rs - Rotate, Repave, and Repair continue to be our north star when it comes to ensuring Tanzu Platform is among the most secure cloud native application platforms. More specifically, the 3Rs mandate that you:  

  • Rotate system credentials every few minutes or hours. 
  • Repave every server and application in the datacenter every few hours to a known, good state. 
  • Repair vulnerable operating systems and application stacks consistently within hours of patch availability. 

Ensuring all software is up to date with the most recent patches, security fixes, and regulatory compliance means continuously checking the health of your system and running the most secure versions. This can be overwhelming without the right mindset and processes. So, in addition to keeping up with patches, upgrades, and bug fixes, we recommend that our customers embrace a continuous upgrade and compliance mindset. Read about what we mean by continuous upgrade culture here

Every day, companies are competing for customers and seeking ways to capitalize on market trends and capture new revenue opportunities. At Tanzu, we advocate that technology leaders should treat security as an accelerator rather than an outcome or a one-time “check the box” requirement. To learn more, join our colleagues Rita Minachi and Chris Cropper, and Forrester’s Sandy Carielli for an in depth conversation on cybersecurity at an upcoming webinar: Go Fast and Be More Secure: Lessons Learned from the Biggest Breaches of 2024, on October 17 at 11:30 am PT.

For more about Tanzu’s approach to application security, visit the Tanzu and Security page