Strengthen DevSecOps with Red Hat Trusted Software Supply Chain

As organizations start deploying advanced monitoring capabilities to protect their production environment from cyber attacks, attackers are finding it increasingly difficult to break in and compromise systems. As a result, they are now leveraging alternate approaches to infiltrate systems by secretly injecting malware into the software supply chain. This illicit code allows them to turn a software component into a Trojan horse of sorts, resulting in software infected with malicious code which allows cyber criminals to open the “doors to the kingdom” from the inside.

A recent report from BlackBerry estimated that the majority (74%) of companies surveyed have experienced a software supply chain attack in the last 12 months. This high number underscores the need for enhanced software supply chain protections since third-party software suppliers and some open source libraries and frameworks may not have the same security measures.

DevSecOps methodology integrates security practices into the DevOps process so security practices are embedded throughout the entire software development lifecycle. Unlike traditional approaches where security is added towards the end of the development process, DevSecOps incorporates security from the very beginning and automates various aspects to help streamline the development process.

An end-to-end solution across the entire supply chain is highly recommended. This system should trust nothing, examine all source code, prepare Supply chain Levels for Software Artifacts (SLSAs), provide audit and scanning capabilities and manage the Software Bill of Material (SBOM) for both custom and third-party software artifacts.

Red Hat Trusted Software Supply Chain provides a zero trust architecture and provides a solid foundation for DevSecOps, helping shift security to the left to catch known vulnerabilities earlier in the development life cycle. Let’s go through each component to see how they work together to help bring development, infosec and operations teams together.

Red Hat Trusted Application Pipeline

Trusted Application Pipeline provides integrated software templates that help enable secure software development through artifact signatures, attestations, SBOMs and build provenance verification. These security-focused software templates not only standardize but also speed up the adoption of security measures across different stages of software development, enhancing trust and transparency from the outset. Trusted Application Pipeline includes the following three key products.

Red Hat Developer Hub

Red Hat Developer Hub is an enterprise platform for building developer portals and golden paths and provides a single pane of glass to help increase engineering productivity, and provide guardrails for cloud-native development and a real-time view of application and infrastructure health and security. Built on the open source Backstage project, it helps streamline development through a unified platform that reduces cognitive load and frustration for developers. Try Red Hat Developer Hub today.

Red Hat Trusted Artifact Signer

Trusted Artifact Signer is built on the open source Sigstore project, and provides a transparent, auditable and cryptographically enhanced signing and verification system. Trusted Artifact Signer supports keyless and key-based signing, and provides simplified operator installation and an immutable audit trail. It also includes Enterprise Contract, enabling the automatic verification of supply chain integrity, provenance authentication and SLSA enforcement.

Red Hat Trusted Profile Analyzer

Trusted Profile Analyzer provides developers, security teams and platform engineers visibility and actionable insights into the risk profile of their software supply chain. It does this across the entire software development life cycle using application SBOM and VEX (Vulnerability Exploitability eXchange) and open source dependencies risk profiles. This information can help lower the risk of a supply chain breach.

Red Hat OpenShift Platform Plus

OpenShift Platform Plus is a unified platform that combines multicluster security, cluster management and compliance, registry scanning and data management capabilities with Red Hat OpenShift. Learn how OpenShift Platform Plus meets the zero trust requirements in 10 ways.

OpenShift Platform Plus includes the following components.

Red Hat OpenShift

OpenShift is the industry’s leading hybrid cloud application platform powered by Kubernetes, bringing together a comprehensive set of tools and services that help streamline the entire application lifecycle, from development to delivery to management of app workloads.

Red Hat Quay

Quay is a security-focused and scalable platform for managing content across globally distributed datacenter and cloud environments. It provides a private container registry that stores, builds and deploys containerized software and scans container images for known vulnerabilities.

Red Hat Advanced Cluster Management for Kubernetes

Advanced Cluster Management for Kubernetes is a multicluster management solution that provides automated and built-in security policy-driven configuration and observability across your entire hybrid cloud environment, including on-prem, cloud and edge. Advanced Cluster Management for Kubernetes simplifies compliance, monitoring and consistency.

Red Hat Advanced Cluster Security for Kubernetes

Advanced Cluster Security for Kubernetes is a Kubernetes-native security solution that provides security guardrails with minimal impact on developer velocity. It addresses six key use cases including vulnerability management, configuration management, risk profiling, network isolation, industry compliance and run-time threat detection.

Learn more about Red Hat Trusted Software Supply Chain