aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • DevOps

How To Get Started Securing Your Internal Software Supply Chain

  • aster.cloud
  • March 1, 2022
  • 3 minute read

Defining, building, and delivering a secure software supply chain is challenging for many organizations. Software builds utilize many open source components, and the vast landscape of cloud native developer and platform tools grows more extensive and more diverse every day. Developers, operators, and security teams must work together to ensure software is delivered swiftly and securely to meet business and customer desires. This often means finding a way to reconcile security team goals and developer needs to establish a productive environment.

In this episode of Cloud & Culture, Danielle Burrow and Derrick Harris spoke with John Kjell and Alex Barbato of VMware Tanzu about what it takes to build an internal secure software supply chain. We cover tooling as well as the organizational shifts that lead to a more cohesive DevSecOps practice. You can listen to the full discussion in the player. Read on for some highlights.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Use the right tools to shift security left without friction

So, who is ultimately responsible for implementing and maintaining a secure software supply chain? While application developers have traditionally been left out of security implementation in the development process, organizations are trending more and more toward a shift-left mentality, with developers sharing more responsibility for the security of their code. Providing tools that help developers take a stronger security posture and automate security tasks is key to a shift-security-left strategy. As John Kjell explains:

“When we say shift left, we’re not asking developers to become security experts….

“What we need to do is enable them to have the tools to do that job with less information. And from an organizational standpoint, that may mean that you not only just shift the responsibility left, but other people. If you’re increasing the efficiency of doing these things, hopefully, that allows some resources to take some security people, embed them with the engineers and the teams developing the software so that they can really understand the results of a scan report or different problems [you’re trying to solve] by shifting those responsibilities left.” 

Kjell says that some of this can be accomplished by utilizing tooling like VMware Tanzu Application Platform, which eliminates toil by automating many of the tasks that make software more secure by design:

Read More  Cloudian To Provide S3 Object Storage Software For VMware Cloud Foundation With VMware Tanzu

“One of the things that we’re doing specifically in Tanzu Application Platform with the supply chain choreographer and the open source project behind that, Cartographer, is this is a system that allows us to compose these supply chains…. We’re specifically building tools to do things like sign container images and verify them when they run in production so that you’re running what you actually think you deployed… being able to easily integrate things like vulnerability scanning of your source code and your container images from your registry. All of those things we have as the building blocks and then [allow] you to take your own build system and plug that in, your own test frameworks and plug those in so that you can connect this entire process of going from source code to an application running in production.” 

Of course, implementing tooling and involving developers early in the process is only part of the battle. Organizational changes are required to truly adopt a security posture that delivers secure software to customers. As Alex Barbato says, adopting a team of teams structure that offers continuous feedback can help enable teams to move faster with purpose:

“One thing we see in a lot of our engagements with the federal government is really trying to adopt … the team of teams model. And that’s something that we’ve really started to try to encourage our customers to embrace. If you have this command structure, [people build things because they were told to] versus a continuous feedback loop of people that are enabled to make decisions…. I think what we always stand firm on is you’ve got to have teams that are enabled to talk to their users and make relevant decisions….” 

Hear more of John’s and Alex’s thoughts on the process of building secure software rather than buying it, along with examples of tooling like Tanzu Application Platform, which can help automate some of the tedium for developers, operators, and security teams in this episode of Cloud & Culture.

Read More  VMware Tanzu Kubernetes Grid Now Supports GPUs Across Clouds

By Colleen Green
Source VMware Tanzu


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • DevSecOps
  • Tanzu
  • VMware
  • VMware Tanzu Application Platform
You May Also Like
View Post
  • DevOps
  • Engineering
  • Platforms

How To Fail At Platform Engineering

  • March 11, 2024
View Post
  • Computing
  • DevOps
  • Platforms

The IBM Approach To Reliable Quantum Computing

  • November 28, 2023
DevOps artifact management
View Post
  • Design
  • DevOps
  • Engineering

10 Awesome Benefits Of Artifact Management And Why You Need It

  • August 2, 2023
Automation | Gears
View Post
  • Automation
  • DevOps
  • Engineering

Automating CI/CD With GitHub Actions

  • June 13, 2023
View Post
  • DevOps
  • People

What’s The Future Of DevOps? You Tell Us. Take The 2023 Accelerate State Of DevOps Survey

  • June 2, 2023
View Post
  • Cloud-Native
  • DevOps
  • Software

7 Ways To Turn Developer Experience Into A Competitive Edge

  • May 10, 2023
View Post
  • DevOps
  • Programming
  • Software Engineering

PromptOps In application Delivery: Empowering Your Workflow with ChatGPT

  • April 30, 2023
View Post
  • Cloud-Native
  • DevOps

How To Use Weave GitOps As Your Flux UI

  • April 25, 2023

Stay Connected!
LATEST
  • 1
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • 2
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • What is cloud bursting?
    • June 18, 2025
  • 4
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • What is confidential computing?
    • June 17, 2025
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • Fine-tune your storage-as-a-service approach
    • June 16, 2025
  • 8
    Advanced audio dialog and generation with Gemini 2.5
    • June 15, 2025
  • 9
    A Father’s Day Gift for Every Pop and Papa
    • June 13, 2025
  • 10
    Global cloud spending might be booming, but AWS is trailing Microsoft and Google
    • June 13, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Google Cloud, Cloudflare struck by widespread outages
    • June 12, 2025
  • What is PC as a service (PCaaS)?
    • June 12, 2025
  • 3
    Crayon targets mid-market gains with expanded Google Cloud partnership
    • June 10, 2025
  • By the numbers: Use AI to fill the IT skills gap
    • June 11, 2025
  • 5
    Apple services deliver powerful features and intelligent updates to users this autumn
    • June 11, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.