Thanks for the reply. I appreciate that keeping software up-to-date is part of the security process, and Bitnami is very responsive to this, but I guess the question is more targeted to Ubuntu configuration.
If a client of mine requests me to "show me that your Django Ubuntu VMs are secure", I need a concrete way to demonstrate this, and currently saying "I use Bitnami images and regularly apply software patches" is not enough. I actually need to say and demonstrate "we run latest software versions and are compliant to NIST (e.g. https://nvd.nist.gov/ncp/checklist/499) and here's our latest audit against that check list."
An alternative for Bitnami would be looking to include this into your images: https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
I guess where I'm coming from is what industry standard / checklist do you run through for ensuring your Ubuntu configurations are compliant, or what additional steps do you take to harden your Ubuntu VMs, that I can use as evidence to my clients that my images are secure to an industry standard?
If the answer is you can't supply this, then the actual answer is that the onus is on the users to ensure they are using hardened, secure Ubuntu configurations and can't take Bitnami's word for it. I'm not being negative towards Bitnami on this, I'm in a process of establishing or application security standards and just trying to work out where the boundary is where Bitnami stops and we take over.