Cloud Native ComputingDevelopersDevOpsDevSecOpsFeaturedSecurityT3M: TFiR Topic Of The MonthVideo

Tooling And Standards Are Rapidly Evolving In Software Supply Chain Security


Guest: Forest Eckhardt (LinkedIn)
Organization/Company: Cloud Foundry Foundation (CFF) (Twitter) | VMware (Twitter)
Show: TFiR: T3M

VMware Tanzu is a modular, cloud-native application platform that aims to accelerate development, delivery, and operations across multiple clouds. In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Forest Eckhardt, Software Engineer at VMware, to talk about the evolution from legacy IT to cloud-native and how far companies have come with understanding and implementing security measures. He also talks about the state of tooling that is available and how well it is meeting today’s security needs. 

Evolution of security from traditional IT to the cloud-native world:

  • There has been an increased focus on software supply chain security and understanding the dependencies and vulnerabilities inside of the applications. 
  • Culturally, there has also been a significant shift with a far larger portion of people now being part of the conversation. There is a lot more movement and discussion internally, and best practice in this area is seeing significant traction even though it is a slow process. 

How far have companies come with security?

  • It is difficult for companies to ignore security concerns due to the amount of software integration in companies nowadays. Many companies are taking the conversation seriously. 

How well are tools meeting the security needs?

  • The tooling and standards are rapidly evolving in the area of software supply chain security. Cloud-native development has enabled people to view things on a granular level of detail down to the application or container. 
  • Many people are working on tooling, although it is not yet 100%. 

What initiatives are we seeing from the government and the public sector?

  • Biden’s Executive Order has pushed the need for public sector initiatives to comply with the rules that have been set out. We are seeing a boom in the adoption of open-source projects as they look to find ways to meet security compliance. 

How is Cloud Foundry working to ensure the security of workloads?

  • Cloud Foundry is sponsoring a project in CNCF called Paketo which is a set of cloud-native buildpacks. Security is the number one priority and they are wanting it to be as turnkey as possible. They are allowing users to keep the most updated operating systems and support some sophisticated SBOMs. 

Advice for companies:

  • Security needs to be a company-wide initiative but it is only as strong as the individuals. It is crucial to keep up with compliance and security over convenience. 

This summary was written by Emily Nicholls.