aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • DevOps

How To Get Started Securing Your Internal Software Supply Chain

  • aster.cloud
  • March 1, 2022
  • 3 minute read

Defining, building, and delivering a secure software supply chain is challenging for many organizations. Software builds utilize many open source components, and the vast landscape of cloud native developer and platform tools grows more extensive and more diverse every day. Developers, operators, and security teams must work together to ensure software is delivered swiftly and securely to meet business and customer desires. This often means finding a way to reconcile security team goals and developer needs to establish a productive environment.

In this episode of Cloud & Culture, Danielle Burrow and Derrick Harris spoke with John Kjell and Alex Barbato of VMware Tanzu about what it takes to build an internal secure software supply chain. We cover tooling as well as the organizational shifts that lead to a more cohesive DevSecOps practice. You can listen to the full discussion in the player. Read on for some highlights.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Use the right tools to shift security left without friction

So, who is ultimately responsible for implementing and maintaining a secure software supply chain? While application developers have traditionally been left out of security implementation in the development process, organizations are trending more and more toward a shift-left mentality, with developers sharing more responsibility for the security of their code. Providing tools that help developers take a stronger security posture and automate security tasks is key to a shift-security-left strategy. As John Kjell explains:

“When we say shift left, we’re not asking developers to become security experts….

“What we need to do is enable them to have the tools to do that job with less information. And from an organizational standpoint, that may mean that you not only just shift the responsibility left, but other people. If you’re increasing the efficiency of doing these things, hopefully, that allows some resources to take some security people, embed them with the engineers and the teams developing the software so that they can really understand the results of a scan report or different problems [you’re trying to solve] by shifting those responsibilities left.” 

Kjell says that some of this can be accomplished by utilizing tooling like VMware Tanzu Application Platform, which eliminates toil by automating many of the tasks that make software more secure by design:

Read More  VMware Tanzu Support Community Honored With STAR Award For Innovation And Excellence

“One of the things that we’re doing specifically in Tanzu Application Platform with the supply chain choreographer and the open source project behind that, Cartographer, is this is a system that allows us to compose these supply chains…. We’re specifically building tools to do things like sign container images and verify them when they run in production so that you’re running what you actually think you deployed… being able to easily integrate things like vulnerability scanning of your source code and your container images from your registry. All of those things we have as the building blocks and then [allow] you to take your own build system and plug that in, your own test frameworks and plug those in so that you can connect this entire process of going from source code to an application running in production.” 

Of course, implementing tooling and involving developers early in the process is only part of the battle. Organizational changes are required to truly adopt a security posture that delivers secure software to customers. As Alex Barbato says, adopting a team of teams structure that offers continuous feedback can help enable teams to move faster with purpose:

“One thing we see in a lot of our engagements with the federal government is really trying to adopt … the team of teams model. And that’s something that we’ve really started to try to encourage our customers to embrace. If you have this command structure, [people build things because they were told to] versus a continuous feedback loop of people that are enabled to make decisions…. I think what we always stand firm on is you’ve got to have teams that are enabled to talk to their users and make relevant decisions….” 

Hear more of John’s and Alex’s thoughts on the process of building secure software rather than buying it, along with examples of tooling like Tanzu Application Platform, which can help automate some of the tedium for developers, operators, and security teams in this episode of Cloud & Culture.

Read More  Google I/O 2019 | Developer Keynote

By Colleen Green
Source VMware Tanzu


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • DevSecOps
  • Tanzu
  • VMware
  • VMware Tanzu Application Platform
You May Also Like
View Post
  • DevOps
  • Engineering
  • Platforms

How To Fail At Platform Engineering

  • March 11, 2024
View Post
  • Computing
  • DevOps
  • Platforms

The IBM Approach To Reliable Quantum Computing

  • November 28, 2023
DevOps artifact management
View Post
  • Design
  • DevOps
  • Engineering

10 Awesome Benefits Of Artifact Management And Why You Need It

  • August 2, 2023
Automation | Gears
View Post
  • Automation
  • DevOps
  • Engineering

Automating CI/CD With GitHub Actions

  • June 13, 2023
View Post
  • DevOps
  • People

What’s The Future Of DevOps? You Tell Us. Take The 2023 Accelerate State Of DevOps Survey

  • June 2, 2023
View Post
  • Cloud-Native
  • DevOps
  • Software

7 Ways To Turn Developer Experience Into A Competitive Edge

  • May 10, 2023
View Post
  • DevOps
  • Programming
  • Software Engineering

PromptOps In application Delivery: Empowering Your Workflow with ChatGPT

  • April 30, 2023
View Post
  • Cloud-Native
  • DevOps

How To Use Weave GitOps As Your Flux UI

  • April 25, 2023

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.