SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Red Hat updates trusted software supply chain, bolsters security

Tue, 23rd Apr 2024

Provider of open source solutions, Red Hat, has announced updates to its trusted software supply chain, integrating new components. The update introduces the Red Hat Trusted Application Pipeline and Red Hat Trusted Artifact Signer, which simplifies cryptographic signing and verification of software artefacts. Additionally, the launch also includes Red Hat Trusted Profile Analyser, a tool designed to help development teams pinpoint malicious code and analyse potential risks in advance.

The improvements aim to allow customers to incorporate security earlier in the software development life cycle, conform to industry regulations and compliance standards, and strategically plan for and address any potential vulnerabilities. This proactive approach is gaining industry traction, with IDC predicting that 75% of CIOs will integrate cybersecurity measures directly into systems and processes by 2027 to pre-emptively detect and neutralise vulnerabilities.

Red Hat's Trusted Software Supply Chain offers software and services that enhance an organisation's resilience to vulnerabilities. These enable organisations to identify and mitigate potential issues early before they can be exploited. This empowers organisations to code, build, deploy, and monitor their software more efficiently using proven platforms, trusted content, and real-time security scanning and remediation.

Building upon the open-source Sigstore project, Red Hat Trusted Artifact Signer augments the trustworthiness of software artefacts in the software supply chain. It simplifies the process for developers and stakeholders to cryptographically sign and verify artefacts using a keyless certificate authority, enhancing confidence in the authenticity of their software supply chain. Furthermore, its identity-based signing through an integration with OpenID Connect eliminates the strain of managing a centralised key management system.

Organisations require visibility and insight into an application's codebase to proactively and minimally impact security issues and vulnerabilities. Red Hat Trusted Profile Analyser meets this need, offering an authoritative source for security documentation, including Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX).

Combining the capabilities of the Red Hat Trusted Profile Analyser and Red Hat Trusted Artifact Signer with Red Hat's enterprise-grade internal developer platform, Red Hat Developer Hub, the Red Hat Trusted Application Pipeline provides security-focused software supply chain capabilities that are pre-integrated into developer self-service templates. These are designed to standardise and expedite onboarding security-focused protocols to increase trust and transparency at code time.

The updated suite allows organisations to verify pipeline compliance, providing traceability and auditability in the CI/CD process with an automated chain of trust that validates artefact signatures and offers provenance and attestations. Suspicious build activity can be directly halted from the CI/CD pipeline through enterprise contracts, with vulnerability scanning and policy checks preventing advancement into production.

Red Hat Trusted Artifact Signer and Red Hat Trusted Application Pipeline are now generally available, with Red Hat Trusted Profile Analyser expected for general release within the quarter.

Sarwar Raza, Vice President and General Manager of the Application Developer Business Unit at Red Hat, said, "Organisations are seeking to mitigate the risks of constantly evolving security threats in their software development. Red Hat Trusted Software Supply Chain is designed to seamlessly bring security capabilities into every phase of the software development life cycle."

Jim Mercer, Program Vice President of Software Development, DevOps, and DevSecOps at IDC, commented, "Red Hat has been securing open-source software and the open-source software supply chain for 30 years. The Red Hat Trusted Software Supply Chain extends its existing open-source security due diligence to help customers manage their open-source and software supply chains."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X