Thursday, April 28, 2022

Use Enterprise-Grade Bitnami Apps in Production with VMware Application Catalog

Originally published on the VMware Tanzu blog

Shagun Tewari and Raquel Campuzano Godoy co-wrote this post.

For the past fifteen years, the Bitnami team has delivered pre-packaged open source applications to millions of developers. Over that time, we have evolved our application catalog from delivering our stacks in the form of installers and virtual machines, to cloud native applications, containers, and Helm charts that help you build applications on any platform. Developers use the Bitnami solutions through the Bitnami Application Catalog, which is our name for the catalog available through marketplaces and on Bitnami.com. 

With over three million developers using our solutions today, there’s no doubt that Bitnami Application Catalog solutions are extremely popular and are ideal for testing purposes in development environments. 

There are, however, constraints with trying to deploy any open-source software in production/enterprise environments, including those from Bitnami Application Catalog. According to a VMware Tanzu survey taken in 2021 on the state of the software supply chain, 95 percent of respondents mentioned that there is no guarantee that vulnerabilities will be remediated, given that ownership of open-source software, in general, remains unclear. Moreover, respondents stated that it’s difficult to keep up-to-date on vulnerabilities so that they can be addressed in time. In reality, keeping up-to-date on every software and dependency vulnerability, and patching in upstream source code, is an enormous effort that few organizations can afford. It is not viable for developer teams to manually track every dependency and to make sure that application components are always updated, healthy, and patched with the latest vulnerability fixes—while guaranteeing internal compliance—instead of focusing on building new business solutions. 

This is where VMware Application Catalog comes in. With VMware Application Catalog, development teams can utilize a rich library of custom, pre-packaged, and trusted building blocks for private enterprise consumption delivered as containers, Helm charts, and virtual machines. These application building blocks are tested on multiple deployment platforms and are continuously and automatically updated for every new vulnerability fix, including those for all dependencies, thanks to an internal automatic build pipeline. 


What is VMware Application Catalog? 

Developers love open source software because it helps energize their application development cycles and offers a wide variety of community-backed technology to choose from. How do we bring these benefits into enterprise environments while avoiding any potential security pitfalls? 

VMware Application Catalog is a customizable selection of trusted, pre-packaged open-source application components that are continuously maintained and verifiably tested for use in production environments.  

It is a library of production-ready Open Virtual Appliances (OVAs), containers, and Helm charts ranging from solutions to integrated code, development applications, automation tools, databases, and other backing services. These catalog images can be plugged into any stage of your company's software lifecycle.

VMware Application Catalog brings users a rich library of pre-packaged open source components in the form of Helm charts, containers, and OVAs. 


So what exactly is special about these images? This catalog can be custom-packaged on any base operating system (OS) provided by a customer. Customers may provide custom golden base OS images or choose from a set of OS images provided by VMware. 

Then, multiple functional and verification tests are run on the packaged image, including build-time Common Vulnerabilities and Exposures (CVE), antivirus scanning, and deployment testing on various platforms. 

Finally, the hardened image, along with the image metadata that contains all vulnerability, antivirus scan, and deployment test results, is pushed to a registry of the customer’s choice for secure, private consumption. 

And last but not the least, VMware Application Catalog offers continuous monitoring of upstream source code changes to automatically trigger image rebuild, testing, and pushes to register new and fixed images. This means that the catalog is always up-to-date. 


How is VMware Application Catalog different from Bitnami Application Catalog?  

A legitimate question for current Bitnami Application Catalog users is: how does VMware Application Catalog differ from Bitnami’s free content? We can sum up the differences by saying that Bitnami Application Catalog is a standard catalog built for the community, while VMware Application Catalog is a custom catalog designed for the enterprise. This statement condenses a list of significant differences such as: 

  • Individual vs enterprise: Bitnami Application Catalog provides software that is intended for a wide range of developers, while VMware Application Catalog supplies a library of assets specifically built to address the security needs of a specific enterprise. 
  • Customization flexibility: Bitnami Application Catalog stacks are built on only one standardized base OS image: Debian. VMware Application Catalog customers can choose to have their images packaged on top of their own golden image (e.g., their own Center for Internet Security-certified Photon OS image), or choose from several hardened Linux flavors provided by VMware Application Catalog.


VMware Application Catalog provides many different base OS images to choose from.

 

  • Automatic image library refresh: Bitnami Application Catalog releases a new version of its images every time there is a security fix, patch, or new major version available in the upstream code. However, if they’d like to use the refreshed images, developers are required to navigate to the catalog and redeploy the image to update it. With VMware Application Catalog, images are automatically rebuilt and pushed to the private registry every time there is a new version available in the upstream community to ensure the catalog is always fresh. 
  • Detailed bill of materials and metadata for proof of provenance: To get information about the stacks they are running, Bitnami users go to DockerHub or GitHub repositories. VMware Application Catalog users have direct access to extensive metadata in their repositories, which eliminates the need to monitor any external sources. Extensive metadata is served in a JSON file that has information on how to consume the asset, its digest, its build, and release dates, and a complete list of included subcomponents or libraries with license information. We also provide detailed results for CVE, antivirus, and deployment to platform tests, as well as other functional and verification tests conducted on the image for full transparency and visibility. Further, this metadata is digitally signed using a cosignatory to protect it from tampering, which adds another layer of security to the catalog. 


Each asset available in the catalog provides users with all the information they need to consume it.

An example of a test results report which shows all the tests the application went through before being added to the customer’s catalog.


How Bitnami Application Catalog users can benefit from VMware Application Catalog 

Bitnami Application Catalog images are ideal for personal use or development environments, where the stakes are not so high. When it comes to enterprise-grade applications, software supply chain security is of the utmost importance, and developers must abide by strict IT compliance and security rules. VMware Application Catalog provides the goodness of open-source software that developers need to move faster while adhering to security and compliance regulations demanded by the operations and security teams. 

If an enterprise manages a dozen sites, this level of transparency and compliance may be achievable with the work of a single developer or by a small team. However, for large enterprises, moving to production usually means managing hundreds of thousands of applications and sites. In this scenario, companies are forced to dedicate part of their development and site-reliability engineering resources to more tedious tasks, such as tracking all application dependencies and making sure that they are kept up-to-date and patched with the latest CVE fixes to ensure internal compliance. 

VMware Application Catalog allows customers to request images that are custom-packaged on an OS of choice, hardened, security tested, and delivered to a private repository. This frees up developers from the necessity of building their own compliant application components, as well as monitoring external sources and the upstream code to keep their open-source images current. It also provides the security and operations team with detailed metadata for increased visibility and assurance that their software is secure and up-to-date. VMware Application Catalog promotes developer productivity while boosting operator and security team confidence.


Learn more about VMware Application Catalog 

To learn more about VMware Application Catalog, join our webinar session on June 23 at 10 AM PT. Register now for the session! 

For additional information, read about VMware Application Catalog on our product page, browse through all applications available on VMware Application Catalog, or read our newly updated technical documentation. 

For more questions, reach out to the product team directly at app-catalog@vmware.com.