“Strengthening Security in Software Development: Red Hat’s Latest Tool Offerings”

Red Hat Pushes New Tools to Secure Software Supply Chain

By Edward Felsenthal

On May 23, 2023, Red Hat, an open source software company, announced the release of a new suite of tools and services to resolve vulnerabilities across all phases of the modern software supply chain. The company stated that the new suite, known as Red Hat Trusted Software Supply Chain, incorporates two cloud services to advance the productive adoption of DevSecOps practices, with security embedded in every stage of the software development lifecycle.

The New Tools

The new tools included in the suite are Red Hat Trusted Application Pipeline and Red Hat Trusted Content. They promise developers a fast and reliable way to write, build, and oversee their software using certified content and real-time security scanning and remediation, which will enable them to import git repositories and configure container-native continuous build, test, and deployment pipelines through a cloud service in several steps.

The Red Hat Trusted Application Pipeline works with sigstore, a tool that customers can use to enhance the security of their application software supply chains through the integration of CI/CD pipeline. Applications can be built securely and more easily integrated into Linux containers using Red Hat OpenShift or other Kubernetes platforms with simple clicks. The service eliminates potential friction and human error, utilizing real-time knowledge of known vulnerabilities and security risks embedded in open source software dependencies, recommending remediations to minimize risks.

The Red Hat Trusted Content, on the other hand, builds on security-enhanced systems software with more than 10,000 trusted packages and several runtime libraries, including Java, Node, and Python ecosystems. The service provides developers with real-time knowledge of known vulnerabilities and security risks within their open source software dependencies and suggests possible remediations to minimize risks.

The Significance of the New Suite

The Red Hat Trusted Software Supply Chain, which is closely tied to the company’s work on sigstore, is a significant development in supply chain security, which has become a hot topic of discussion as more organizations migrate to cloud environments and outsource software development. Supply chain security is critical as it deals with the security of a product’s entire lifecycle, from initial conception and design to development, distribution, maintenance, and retirement. It has become necessary to ensure that the software supply chain is safe, efficient, and uncompromised to safeguard the entire organization from cyber threats.

Given the nature of supply chain attacks, in which attackers infiltrate the target’s software by attacking a third-party provider to reach high-profile companies, this development is crucial. For instance, in the recent attack on SolarWinds, the attackers had exploited the software provider’s Orion system and went on to infiltrate high-profile organizations worldwide. The SolarWinds attack underscores the importance of taking a risk-based approach to manage and maintain an organization’s assets’ integrity throughout the supply chain.

Advice and Editorial

The Red Hat Trusted Software Supply Chain development is timely, and more software developers and companies should embrace this approach as the threat landscape continues to evolve. Organizations must ensure that their software supply chains are secure and come from trusted sources. One of the key steps is to keep all software up to date to ensure the latest security updates and patches are applied. Organizations must also conduct regular vulnerability assessments and penetration testing throughout their software supply chains, coupled with employee education programs on how to detect and report vulnerabilities.

As companies increasingly move their operations to the cloud, supply chain security vulnerabilities will remain a concern. Therefore, organizations must establish security controls that provide visibility across their entire software supply chains, and third-party suppliers must adhere to security standards and protocols.

The Red Hat Trusted Software Supply Chain is a welcome development to the industry, and I hope other companies adopt similar practices to secure their software supply chains.