Red Hat Improves Software Supply Chain Security
Red Hat introduced a solution called the Red Hat Trusted Software Supply Chain that increases resistance to vulnerabilities in the software supply chain.
This innovation introduces two new cloud services: Red Hat Trusted Application Pipeline and Red Hat Trusted Content. Both are joining the existing suite of Red Hat software and cloud services, including Quary and Advanced Cluster Security (ACS), to drive the successful adoption of DevSecOps practices and integrate security throughout the software development lifecycle.
Supply Chain Security Matters
Nowadays, malicious actors have swiftly turned their attention to the software supply chain, recognizing it as a prime target for their activities. These targeted attacks focus on exploiting foundational software components with the aim of orchestrating devastating consequences such as data breaches, service disruptions, and other severe outcomes.
Given the critical role of software in conducting daily business operations, ensuring the security of the software supply chain becomes an essential responsibility for every organization and its security teams.
Red Hat Trusted Software Supply Chain
Customers can code, build, and monitor their software more rapidly and effectively with Red Hat Trusted Software Supply Chain by utilizing reliable platforms, trusted content, and real-time security scanning and remediation.
As open-source code now constitutes 75% of application code bases, these components are being examined more closely. This is particularly significant considering the alarming surge of 742% in software supply chain attacks since 2020. Therefore, customers are actively seeking ways to integrate guardrails into their software supply chain and development life cycles, enabling them to speed up innovation while upholding security standards.
Red Hat Trusted Content
One significant component is Red Hat Trusted Content, which builds upon a foundation of security-enhanced systems software. With thousands of trusted packages available solely in Red Hat Enterprise Linux and a catalog of critical application runtimes spanning Java, Node, and Python ecosystems, this service equips customers with enterprise-hardened trusted content.
Additionally, it provides valuable insights into the open-source packages utilized within customer applications, empowering organizations with knowledge about the components they rely on.
Red Hat Trusted Application Pipeline
Red Hat Trusted Application Pipeline is rooted in Red Hat’s extensive efforts to develop, introduce, and sustain sigstore—an open and freely-accessible standard for secure signing in cloud-native environments. In addition to this, sigstore contributes vital components to various upstream communities, forming a shared security infrastructure. With Trusted Application Pipeline, customers gain access to a security-focused Continuous Integration/Continuous Delivery (CI/CD) service. This service makes it easier to adopt the procedures, tools, and knowledge that Red Hat employs to create its production software.
How do these Services Enhance Security?
Using Red Hat’s internal best practices, Red Hat Trusted Content offers access to open-source software content that has been produced and curated by Red Hat with provenance and attestation. The service actively monitors customers’ open-source dependencies after an application is in production and notifies them of known new and emerging dangers. As a result, users can respond more quickly to emerging threats.
As for Red Hat Trusted Application Pipeline, it is currently available as a service preview. This integrated Continuous Integration/Continuous Delivery (CI/CD) pipeline plays a pivotal role in enhancing the security of application software supply chains. With just a few clicks, users can efficiently build applications, seamlessly integrate into Linux containers, and effortlessly deploy them onto Red Hat OpenShift or other Kubernetes platforms.
Previously, this process was often highly manual, requiring extensive lines of automation code for building, testing, and deploying containerized applications. Such manual processes created additional risk points and slowed overall velocity by introducing the possibility of friction and human error.
Red Hat Trusted Application Pipeline Features
- Import Git repositories and effortlessly set up container-native continuous build, test, and deployment pipelines using a cloud service in just a few simple steps.
- Inspection of source code and transitive dependencies.
- Automatically generate Software Bills of Materials (SBOMs) as part of the build process.
- Utilize a release criteria policy engine to verify and promote container images. This engine incorporates industry frameworks such as Supply Chain Levels for Software Artifacts (SLSA).
The comprehensive suite of software and services offered through Red Hat Trusted Software Supply Chain significantly enhances an organization’s ability to withstand vulnerabilities throughout the modern software development lifecycle. Red Hat Trusted Content will soon be available as a service preview, empowering developers with real-time insights into known vulnerabilities and security risks within their open-source software dependencies. This service will also recommend potential risk-reduction measures, which will assist in shortening development time and lower costs.
This article includes a story from Red Hat.