VMware Tanzu Application Service Compliance

VMware Tanzu Application Service (VMware TAS for VMs) is compliant with this requirement. VMware regularly publishes security updates for VMware TAS for VMs on the Broadcom Support portal. Operators may subscribe to update notifications from the Broadcom Support portal and use BOSH and Tanzu Operations Manager to keep their deployments up-to-date.

When an operator applies a patch, VMware TAS for VMs systematically rolls the update out to all VMs in a deployment, avoiding the need to patch individual VMs.

VMware Tanzu provides the following incident response support resources:

• Tanzu vulnerability reports: https://support.broadcom.com/group/ecx/security-advisory

• Tanzu Product Vulnerability Reports, archived on the VMware Tanzu Application Security Team website

See Security Processes and Stemcells in the VMware TAS for VMs documentation for more information.

The VMware TAS for VMs deployer is responsible for performing scans for both configuration and vulnerabilities. VMware TAS for VMs supports the use of third-party scanners, either through remote access scanning, or through local installation of third-party agents on the BOSH stemcells.

VMware TAS for VMs deployers performing configuration scans against a VMware TAS for VMs deployment should adjust their scanning benchmark to perform a cloud-native assessment, as opposed to employing a scanning benchmark intended for standalone Linux server deployments.

Control Description

The organization:

1. Identifies, reports, and corrects information system flaws;
2. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
3. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
4. Incorporates flaw remediation into the organizational configuration management process.

Supplemental Guidance

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.