Red Hat, a leading provider of open source software solutions, has unveiled its secure-by-design playbook to assist developers in building and deploying secure applications that rely on open source components. Red Hat introduced the Red Hat Trusted Software Supply Chain at its recent Red Hat Summit in Boston. The company’s focus on software supply chain security reflects the trend of cloud-native applications, which are mostly built using open source components. Unfortunately, there has been an increase in cyber attacks targeting vulnerabilities in these components. Therefore, it is necessary to have secure-by-design and secure-by-default software development processes that create a secure software supply chain.
Red Hat’s General Manager for Cloud Services, Sarwar Raza, said that trusting Red Hat with the security of an open source supply chain is essentially an extension of what they have been offering customers for the last 30 years. The company has taken that capability, combined it with the Continuous Integration/Continuous Deployment (CI/CD) capabilities they use internally, and made the process, technology, and expertise available to customers. This way, they can build and secure their software in the same way that Red Hat does.
The Red Hat Trusted Software Supply Chain comprises four services and is based on the programming tools and methodologies that Red Hat uses internally. Of the four services, two are currently available as preview versions: Red Hat Trusted Application Pipeline and Red Hat Trusted Content. The third service, Red Hat Advanced Cluster Security Cloud Service, is a managed service that securely builds, deploys, and maintains Kubernetes-based cloud-native applications security. Finally, Quay is the enterprise registry acquired by CoreOS in 2014, which Red Hat acquired in 2018.
Raza explained that the offering includes thousands of trusted packages in Red Hat Enterprise Linux alone, as well as a catalog of critical application runtimes across Java, Node, and Python. “The service provides not just the hardened, trusted content, but we also provide knowledge,” he said.
Red Hat Trusted Application can automatically generate software bills of materials (SBOMs) using that knowledge. “As a customer, you can take the artifacts, proving the security of those software packages and present it to auditors or regulators and then satisfy their requirements,” Raza said.
Red Hat Trusted Application Pipelines leverage sigstore, an open source project that Red Hat initiated and has since handed over to the Linux Foundation. Sigstore is now a freely available standard for cloud-native security signing, and the application pipelines handle multiple stages of the development process.
In the coding stage, Red Hat provides a developer plugin that performs software composition analysis, which includes analyzing dependencies and warning of all vulnerabilities, pointing developers to alternative components. At the build phase, Red Hat Application Pipelines produce an enterprise contract that is fed into the system. “This sets the guardrails and the standards that will be enforced,” Raza said.
Red Hat Trusted Pipelines also automatically generates software bills of materials (SBOMs) for each build. “SBOMs, vulnerability information, information about those packages, are part and parcel of the offering,” Raza said. “So as a customer, you can take the artifacts, proving the security of those software packages, and present it to auditors or regulators and then satisfy their requirements.”
Red Hat’s offering is promising because of its prominence in the open source infrastructure market, and it appeals to the broad ecosystem of those who build on Red Hat Enterprise Linux (RHEL) and OpenShift. However, it does not require either. The offering can be disruptive to providers of SCA offerings from companies such as Black Duck (now Synopsis), Mend, and Snyk.
IDC analyst Al Gillen said that Red Hat’s offering “is a really good starting point for a lot of companies to be able to build their products securely.” Still, they “also have to distribute their product, and their distribution channel is a separate supply chain for somebody else.” Omdia analyst Rik Turner added that “this will surely be of value to them, potentially even obviating the need for the use of SCA platforms to check on what they are embedding in amongst their code.”