Devsecops In Practice With Vmware Tanzu Pdf

DevSecOps in Practice with VMware Tanzu

Step 4: Runtime Scanning & Network Security

Security does not stop at deployment. Using Tanzu Observability and NSX-T Integration:

• Runtime profiling: Tanzu identifies abnormal process execution (e.g., a web server suddenly running crypto-miner).
• Network segmentation: Automatically generate network policies based on observed traffic (zero-trust model).

Introduction: The DevSecOps Imperative

Traditional security models fail in Kubernetes environments. Containers are ephemeral, supply chains are complex, and misconfigurations are rampant. DevSecOps addresses this by shifting security "left" (earlier in the development cycle) and "right" (into runtime). devsecops in practice with vmware tanzu pdf

Why VMware Tanzu? Tanzu is not just a Kubernetes distribution; it is a application platform that operationalizes: DevSecOps in Practice with VMware Tanzu Step 4:

• Supply chain security (image scanning, signing, attestation)
• Policy as code (Open Policy Agent, Kyverno)
• Runtime security (Pod Security Standards, network policies)
• Compliance automation (CIS benchmarks, FedRAMP, PCI)

---

Pillar 1: Secure Supply Chain (Tanzu Supply Chain)

The most significant shift in modern DevSecOps is moving from artifact storage to artifact attestation. Tanzu Application Platform (TAP) uses Cartographer to create reproducible supply chains. 7. Getting Started – Practical Steps

• How it works: When a developer commits code to Git, the supply chain automatically triggers:
  1. Source Scanning (Grype or Snyk).
  2. Base Image Update (Rebasing to a patched OS layer).
  3. SBOM Generation (Software Bill of Materials).
  4. Signature (Cosign from Sigstore).
• Why it matters: The PDF contains a specific workflow showing how Tanzu prevents "dependency confusion" attacks by enforcing that only images signed by an internal Notary server can be promoted to staging.

7. Getting Started – Practical Steps

1. Enable Tanzu Build Service on your cluster.
2. Configure Harbor with vulnerability scanning and immutability rules.
3. Define a ClusterSupplyChain with security stages.
4. Install Gatekeeper or Kyverno with baseline Pod Security Standards.
5. Set up runtime monitoring via Tanzu Observability.
6. Run drills – e.g., attempt to deploy a vulnerable image and observe blocking.

---