Security frameworks and industry best practices in Tanzu Application Catalog
Security frameworks are a set of well-documented standards, policies, procedures, and best practices designed to enhance an organization’s security posture and minimize risks. These frameworks offer a standardized approach for organizations to build security solutions, deploy security controls, identify threats and vulnerabilities, and the strategies for mitigation.
These frameworks are often dictated by government agencies and IT organizations to provide businesses and companies with clear recommendations to follow when building and producing products for customers that will operate in highly regulated environments.
VMware Tanzu Application Catalog complies with the following security frameworks and cybersecurity agencies’ guidelines to enhance organizational security and minimize risks:
| Category | Framework | Authority |
|---|---|---|
| Software Supply Chain | ||
| Supply Chain Levels for Software Artifacts (SLSA) | Open Source Security Foundation (OpenSSF) | |
| Vulnerability Exploitability eXchange (VEX) use case recommendations | Cybersecurity and Infrastructure Security Agency (CISA) | |
| Hardening | ||
| DISA’s container image creation and deployment guide | Defense Information Systems Agency (DISA) for the U.S. Department of Defense (DoD) | |
| Center for Internet Security (CIS) Benchmark for Docker | CIS | |
| Security Technical Implementation Guide (STIG) | Defense Information Systems Agency (DISA) for the U.S. Department of Defense (DoD) | |
| Federal Risk and Authorization Management Program (FedRAMP) | General Services Administration (GSA) | |
| [Pod Security Standards] | Kubernetes hardening best practices |
