VMware Tanzu Application Service Compliance

The Tanzu Application Service (TAS for VMs) product feature set is sufficient to satisfy the technical requirements implied in SI-16. Each instance of an app deployed to TAS for VMs runs within its own container, a self-contained environment. This container isolates processes, memory, and the filesystem using operating system features and the characteristics of the virtual and physical infrastructure where TAS for VMs is deployed.

TAS for VMs stemcells follow industry-standard hardening guidance and maintain a secure posture by default. For example, TAS for VMs is preconfigured to randomize address space layout and restrict file system mount options such as noexec and read-only.

For more information, see Understanding Container Security.

Control Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental Guidance

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

check-circle-line exclamation-circle-line close-line
Scroll to top icon