SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Red Hat embeds security into software dev lifecycle with latest release
Thu, 25th May 2023

Red Hat has announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities.

As part of this solution, two new cloud services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, are joining in preview mode the existing Red Hat software and cloud services, including Quay and Advanced Cluster Security (ACS), to advance the successful adoption of DevSecOps practices, and embed security into the software development lifecycle.

With Red Hat Trusted Software Supply Chain, the company states customers can more quickly and efficiently code, build and monitor their software using proven platforms, trusted content and real-time security scanning and remediation.

Red Hat Trusted Software Supply Chain

With 75% of application code bases now consisting of open source code, these components are under greater scrutiny, especially as software supply chain attacks have soared 742% since 2020, Red Hat states. Customers seek to integrate guardrails into their software supply chain and development life cycles to accelerate innovation without compromising security.

The software and services delivered as part of Red Hat Trusted Software Supply Chain are designed to enhance an organisation's resilience to vulnerabilities across the modern software development lifecycle.

Red Hat Trusted Content builds on a foundation of security-enhanced systems software, with trusted packages in Red Hat Enterprise Linux and a catalogue of critical application runtimes across Java, Node, and Python ecosystems.

The service provides customers with enterprise-hardened trusted content and knowledge about the open-source packages in customer applications, Red Hat states.

The basis for Red Hat Trusted Application Pipeline comes from Red Hat's foundational work in the creation, launch and maintenance of sigstore, which provides a freely-available standard for cloud-native secure signing, as well as providing critical pieces of shared security infrastructure to many upstream communities.

Trusted Application Pipeline offers a security-forward Continuous Integration/Continuous Delivery (CI/CD) service that simplifies the adoption of the processes, technologies and expertise that Red Hat uses to build production software.

Bridging software innovation with source code security

Available as a service preview in the coming weeks, Red Hat Trusted Content will provide developers with real-time knowledge of known vulnerabilities and security risks within their open source software dependencies.

The service will also suggest available remediations to minimise risks, helping to reduce development time and cost, the company states.

Red Hat Trusted Content provides access to Red Hat-built and -curated open source software content, with provenance and attestation, using Red Hat's internal best practices. Once an application is in production, the service proactively monitors and alerts users of known new and emerging risks in their open source dependencies, allowing for quicker remediation of emerging threats.

Red Hat Trusted Application Pipeline, available as a service preview now, aims to help customers enhance the security of application software supply chains with an integrated CI/CD pipeline.

Applications can be more effectively built and more easily integrated into Linux containers and then deployed onto Red Hat OpenShift or other Kubernetes platforms with just a few clicks.

Previously, this was frequently a highly-manual process, with hundreds of lines of automation code required for building, testing and deploying containerised applications. This manual process introduces the potential for friction and human error, adding new risk points and slowing overall velocity.

According to the company, with Red Hat Trusted Application Pipeline, Red Hat customers can:

  • Import git repositories and configure container-native continuous build, test, and deployment pipelines via a cloud service in just a few steps.
  • Inspect source code and transitive dependencies.
  • Auto-generate Software Bills of Materials (SBOM) within builds.
  • Verify and promote container images via a release criteria policy engine that helps confirm consistency with industry frameworks like Supply chain Levels for Software Artifacts (SLSA).