In a bid to help developers securely build and deploy applications that rely on open source components, Red Hat unveiled the secure-by-design playbook the company has used for decades to build, monitor, and deploy its own software. The company introduced the Red Hat Trusted Software Supply Chain, which consists of four services and is based on the programming tools and methodologies the company uses internally, during Red Hat Summit this week in Boston.
The focus on software supply chain security reflects two trends: organizations embracing the shift to cloud-native applications that are predominantly built with open source components and the growing number of cyberattacks targeting vulnerabilities in those components. The US federal government is pushing organizations to implement secure-by-design and secure-by-default software development processes. The Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI joined with global counterparts to publish the Secure-by-Design and Default Principles and Approaches guidance last month.
"Trusting Red Hat with the security of an open source supply chain is basically a continuation of what we have been offering customers for the last 30 years," says Sarwar Raza, Red Hat's general manager for cloud services. "We've taken that capability, along with the CI/CD capabilities that we use in-house, and we're now making our processes, technology, and expertise available to our customers so that you can secure and build your software in the same way we do."
A Preview of Red Hat's Four Core Services
Of the four services in Red Hat Trusted Software Supply Chain, two — Red Hat Trusted Application Pipeline and Red Hat Trusted Content — are available as preview versions. The third, Red Hat Advanced Cluster Security Cloud Service, is a managed service for securely building, deploying, and maintaining Kubernetes-based, cloud-native applications security. Finally, Quay is the enterprise registry acquired by CoreOS in 2014, which Red Hat took over after acquiring CoreOS in 2018.
The offering includes thousands of trusted packages in Red Hat Enterprise Linux alone, as well as a catalog of critical application runtimes across Java, Node, and Python, Raza says. "The service provides not just the hardened, trusted content, but we also provide knowledge," he says.
Red Hat Trusted Application can automatically generate software bills of materials (SBOMs) using that knowledge. "As a customer, you can take the artifacts, proving the security of those software packages, and present it to auditors or regulators and then satisfy their requirements," Raza says.
Red Hat Trusted Application Pipelines builds on sigstore, an open source project that Red Hat initiated and has since turned over to the Linux Foundation; sigstore is now a freely available standard for cloud-native security signing. Application Pipelines handle multiple stages of the development process.
In the coding stage, Red Hat provides a developer plug-in that performs software composition analysis (SCA), which includes analyzing dependencies and warning of all vulnerabilities pointing developers to alternative components. At the build phase, Red Hat Application Pipelines produces an enterprise contract that's fed into the system.
"This basically sets the guardrails and the standards that will be enforced," Raza says.
Automatically Generating SBOMs
Red Hat Trusted Pipelines also automatically generate software bills of materials (SBOMs) for each build.
SBOMs, vulnerability information, [and] information about those packages are part and parcel of the offering," Raza says. "So as a customer, you can take the artifacts, proving the security of those software packages, present it to auditors or regulators, and then satisfy their requirements."
"This is a really good starting point for a lot of companies to be able to build their own products in a secure way," says IDC analyst Al Gillen. "But they also still have to distribute their own product, and their distribution channel is a separate supply chain for somebody else."
Given Red Hat's prominence in the open source infrastructure market, its offering promises to appeal to the broad ecosystem of those who build on Red Hat Enterprise Linux (RHEL) and OpenShift, but it doesn't require either. It can also be disruptive to providers of SCA offerings from companies such as Black Duck (now Synopsis), Mend, and Snyk.
"What Red Hat is offering is a repository of curated OSS components that its OpenShift customers can draw upon when building their apps," says Omdia analyst Rik Turner. "This will surely be of value to them, potentially even obviating the need for the use of SCA platforms to check on what they are embedding in amongst their own code."