Software Supply Chain with VMware Application Catalog

The Importance of an Efficient Software Supply Chain

In this context, the importance of an efficient software supply chain becomes increasingly evident. But what exactly is a software supply chain? Like a physical supply chain, it refers to the process of developing, deploying, and maintaining software products. Various software components from different sources are brought together to create a complete and functional product. This may involve the integration of open-source components, collaboration with external developers, or the use of third-party tools. An effective software supply chain is crucial to ensure that the developed software is secure, reliable, and meets user requirements.

What is a CVE?

In the context of the software supply chain, the identification and naming of security vulnerabilities play a crucial role. This is where CVE comes into play, standing for "Common Vulnerabilities and Exposures." Each identified security vulnerability receives a unique identifier known as a CVE-ID. This allows security experts to communicate and exchange information about a specific security vulnerability across platforms. The CVE database is managed by the nonprofit organization MITRE and is a vital resource for the security community.

What does SBOM mean? 

Another important term in the software supply chain is SBOM, which stands for "Software Bill of Materials." This refers to a list of components and dependencies in software. Like the manufacturing industry, an SBOM provides an overview of the various software components used in a product, including open-source components, third-party libraries, and internally developed code.

Best Practices for Software Supply Chain 

To minimize risks in application deployment, companies should consider some best practices:

• Source software components only from verified and trusted sources, not from dubious internet sources.
• Minimize the number of software versions used to reduce complexity.
• Standardize the configuration of your applications across the organization to avoid inconsistencies.
• Implement comprehensive security measures to protect your applications.
• Test your applications on different versions of your target platforms.
• Use SBOMs to check your software for known security vulnerabilities.
• Keep your applications and their components up to date to avoid security and performance issues.

VMware Application Catalog: The Solution 

How can VMware help you implement these best practices? The answer lies in the VMware Application Catalog.

Bitnami Application Catalog: A Free Open-Source Catalog

The Bitnami Application Catalog is a free open-source catalogue offering over 140 packaged open-source applications in various formats such as containers, Helm charts, and virtual machines. This allows developers and administrators to quickly deploy trusted open-source software applications in development and test environments.

VMware Application Catalog: The Solution for Production Environments

However, production environments place specific demands on the software supply chain. Commercial support, defined service level objectives (SLOs) for upgrades, governance and security metadata such as SBOMs, CVE reports, proof of origin and digitally signed artefacts are critical. VMware has released an enterprise version of the Bitnami Catalog: VMware Application Catalog. This is a cloud service that allows customers to create their own private catalogue of individually packaged open-source application components. These components are continuously maintained and verifiably tested for use in production environments.

An overview of the apps and components included in the catalogue can be found here: https://app-catalog.vmware.com/catalog. Here, too, over 140 customizable building blocks (language runtimes, app components, and supporting apps) from trusted sources are included, available in various formats.

Key Highlights of VMware Application Catalog

The VMware Application Catalog offers several key benefits:

• Extensive Library: Companies have access to an extensive library of verified components in various formats, enabling standardized use of open-source software.

• Continuous Monitoring: Constant monitoring of open-source software ensures that only the latest and most secure versions of components are used.
• Bill of Material: Integrated SBOMs provide insights into the software supply chain and the components used.
• Air-gapped Support: Even in environments without complete connectivity, the generated images can be used.
• Choice of Base Images: Companies can choose from different base images or create custom base images to integrate their own tools and agents.
• Automated Validation: The solution provides high reliability in multi-cloud environments.

Enterprise Support for Sealed Secrets and Kubeapps: VMware supports companies in securing Kubernetes deployments and managing Kubernetes apps through an intuitive GUI

Conclusion

An efficient software supply chain is critical to ensuring the security, reliability, and quality of applications. The VMware Application Catalog provides a comprehensive solution to help organisations address these challenges and effectively leverage open-source software. With the right software supply chain in place, organisations can ensure that their applications meet the highest standards while maintaining agility and innovation.

SoftwareOne leads the way: Premier status as a VMware PINNACLE Partner

SoftwareOne is one of only a handful of VMware PINNACLE Partners in Europe to have achieved the highest possible VMware Partner status. This award confirms our extensive product knowledge, our excellent consulting skills, and the sustainable implementation of VMware solutions for numerous customers.