Part of responsibly running public infrastructure, software, applications and websites is keeping them up-to-date. What was worked on the day the software was released gets outdated shortly after the release, and in some time becomes vulnerable to some form of attack. To combat this, it is essential to patch and upgrade the software in a timely manner.

In PWS, we will assist you with keeping some of the software necessary to run your applications up-to-date. The updates required for the applications break down into two parts: system or platform upgrades. System upgrades update the software that runs PWS and buildpack upgrades update the software that runs your applications.
 

System Upgrades

Cloud Foundry (CF) is developed using the principles of continuous deployment. Through the process of continuous integration, CF is able to incorporate the latest features, bug fixes, and security fixes in a timely manner. Cloud Foundry is designed to handle these upgrades while maintaining the operations of the application, as long as the application is deployed with two or more instances running. This is an improvement over the past deployment strategies where the hosting platform required downtime to deliver system updates in a timely manner. As a result, the PWS platform is frequently updated and in most cases, no action is required by the developer.
 

Buildpack Upgrades

All of the software that is required to run an application on PWS is assembled by the buildpacks. This includes language runtimes like Java, Ruby, Python, PH, Go, and also the server software like Apache HTTPD, Nginx, and everything else necessary to run an application. The software is downloaded and installed as the buildpack runs and unless configured otherwise, the build pack will install the latest version of that software that is available at the time it runs.

Like all of the components of PWS, we update the buildpacks and the software that is installed. Security fixes are given priority, but in general, we try to keep up with the latest versions of the software required to run the applications. In addition, we phase out older versions of the software so that you do not accidentally run with insecure and older versions. For details on available versions, please refer to this article.

It is important to note that while we update the buildpacks, which in turn update all of the software necessary to run the application, we do not update the application. For the application to update, run the `cf push` or `cf restage` on the application. This runs the buildpack, and unless you have locked your buildpack version, automatically updates the application to run with the latest language runtime and server software.
 

If you have locked the buildpack by using the -b argument to cf push or by setting the buildpack attribute in your manifest.yml file, then it is your responsibility to update this setting, and in turn the buildpack. Failure to do this can result in the application running on old and possibly vulnerable piece of software.

For the smoothest possible upgrade path, we recommend using blue-green deployment which gives you a chance to push new changes and test them before actually switching your traffic over to the new or upgraded application. You can find more about this here.

Since PWS is managed by Pivotal, it often receives bug fixes, security updates, new features and improvements before any other public Cloud Foundry provider. This means not only you will get security and bug fixes faster but, you will also get to play around with all the new features of Cloud Foundry as soon as they are available.

Risks

Running your application on Cloud Foundry reduces the risk of old and insecure software by automatically upgrading or making it very easy to upgrade the most of the software required to run an application. This reduces the surface area that you as a software developer are responsible for maintaining and upgrading. This ultimately helps in saving time and provide extra security. PWS does not guarantee complete security though. It is up to the developer to follow the instructions in this article, update the dependencies packaged with the application, and to write the secure application code.