A lot of prominence is being given to software supply cklhain security. In particular, here’s a quote from a recent presidential Executive Order on improving the nation’s cybersecurity:
“The Federal Government must … advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including … Platform as a Service (PaaS);”
The solution towards a truly trusted software system comes in two parts – non-technical areas and technical areas.
Non-technical aspects of the solution involve having individuals or teams focused on security and audit compliance. Internal company policies that act as a regulatory system and set standards for developers are a must, as are efforts to enforce compliance with security best practices. While this can bode well for large organizations, small software engineering teams and startups do not have the bandwidth, budget, or culture to make this a reality.
Tools that are open source, governed strictly, and enable automation of secure build and deployment are the components that form the technical aspect of the solution. Engineering teams must find a way of envisioning robust security best practices and find a way to apply them without affecting the developer workflow unduly. This is a founding principle of the DevSecOps efforts within the larger community of software development professionals.
Ergo, advocating a technology stack that is:
- Composed of open components
- Provides automated builds
- Reduces the dependency on developers
- Allows security operators to extend control
- Actively supported by the community
is an ideal choice upon which to build a platform for use by development teams.
The focus of this article is in describing a robust stack that will sit above compute and power applications to run. The stack will comprise fully customizable open source components that put reliability and security at the forefront.
Application source code is the single source of truth when working with this stack. It is the start of the whole software supply chain. Git is a popular version control system that is free and open source. The use of git will allow developers to work with a source code management system from which all the downstream steps will be triggered.
Kubernetes is a container orchestration tool, and will serve as an abstraction over the infrastructure and compute that will power the system from underneath. Kubernetes is an open source project belonging to the Cloud Native Computing Foundation (CNCF). In terms of popularity, it has managed to gather a large community following – second only to the Linux OS itself! Using Kubernetes will bring homogeneity above the infrastructure layer and will simplify further operations.
Cloud Foundry is an open source PaaS tool. The use of Kubernetes introduces complexity that is a bit of overhead for developers who work with the platform. Cloud Foundry provides a countermeasure that simplifies the developer experience and greatly eases the pain points commonly associated with Kubernetes adoption. The Cloud Foundry platform does the job of deploying all the applications to the Kubernetes infrastructure. The cf push command triggers the exporting of a container image from application source code.
When building these containers to deploy to the runtime within Kubernetes, Cloud Foundry uses Paketo Buildpacks internally. Paketo Buildpacks are an implementation of the Cloud Native Buildpacks specification. The aim is to provide a unified means to generate OCI-compatible container images for all languages and frameworks commonly used to build applications. Paketo Buildpacks are also open source and fully customizable according to the needs of software development teams.
Together, this platform, built on open tools, supported actively by the community, and facilitating the exact needs of software developers helps promote a trusted architecture upon which to stage applications. It satisfies all the requirements implied and enumerated in the various measures taken towards improving software security, especially across the supply chain.
To learn more about the Cloud Foundry platform, you can get started here. Join the ongoing conversation on Slack with the ever-welcoming CF community, who’re always looking for folks interested in contributing to the improvement of the Cloud Foundry ecosystem.