“Ensuring Security in the Software Supply Chain: Red Hat’s Latest Initiative”

Red Hat Unveils Secure-by-Design Playbook to Help Developers Build and Deploy Secure Open Source Applications

Red Hat, a leading provider of open-source solutions, has unveiled its secure-by-design playbook for developers to securely build and deploy applications that rely on open source components. The company introduced the Red Hat Trusted Software Supply Chain, based on the programming tools and methodologies the company uses internally, during the Red Hat Summit held recently in Boston. The move reflects the two trends of organizations embracing cloud-native applications built with open-source components and the growing number of cyberattacks targeting vulnerabilities in those components.

The Four Core Services of Red Hat Trusted Software Supply Chain

The Red Hat Trusted Software Supply Chain comprises four services; Red Hat Trusted Application Pipeline, Red Hat Trusted Content, Red Hat Advanced Cluster Security Cloud Service, and Quay, the enterprise registry acquired by CoreOS. Two of the services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, are already available as preview versions, while Red Hat Advanced Cluster Security Cloud Service is a managed service for building, deploying, and maintaining Kubernetes-based, cloud-native application security.

Automatically Generating SBOMs

One of the features of the Trusted Application Pipelines is automatically generating software bills of materials (SBOMs), which contain information about software packages, vulnerability information, and other essential information required by auditors and regulators. Developers can use these artifacts to satisfy regulatory requirements while demonstrating the security of software packages for auditors.

Philosophical Discussion

The shift to cloud-native applications built with open-source components, coupled with the rise of cyberattacks and data breaches, has necessitated the need for secure-by-design software development processes. The Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI have released Secure-by-Design and Default Principles and Approaches guidance that organizations can implement to boost their cybersecurity and protect their software supply chains. Red Hat’s move to make available its methodologies, processes, technology, and expertise to help developers build and deploy secure applications demonstrates the company’s commitment to software security and cybersecurity.

Editorial

Red Hat’s unveiling of the Trusted Software Supply Chain initiative is a significant development for organizations that rely on open-source components to build and deploy applications. The Trusted Software Supply Chain initiative offers an excellent starting point for companies to build their products securely. However, companies must also secure their distribution channels, which represent a separate supply chain that requires protection just as much as the software supply chain. Red Hat’s prominence in the open-source infrastructure market makes its offering an attractive option for developers who build on Red Hat Enterprise Linux (RHEL) and OpenShift. The initiative also has the potential to disrupt existing software composition analysis (SCA) offerings from competing companies.

Advice

Organizations that rely on open-source components to build and deploy applications should consider partnering with providers that offer secure-by-design software development processes. Red Hat’s Trusted Software Supply Chain initiative is an excellent option for developers that want to build cloud-native applications using secure and curated open-source components. Developers and organizations should also secure their distribution channels and implement best practices to secure their software supply chain fully.