Red Hat Blog

Traditional vulnerability management uses a singular “patch all things” approach that is ineffective and costly. It’s time we shifted to adopting appropriate risk-based approaches that consider more than an exclusive focus on patching security issues. Organizations are increasingly called upon to navigate a complex cybersecurity landscape which is more than just potential threats and attacks. It also includes the complexity and sheer volume of software. This requires going beyond “security by compliance” and utilizing comprehensive risk assessment, appropriate prioritization of resou

There has been a huge increase in demand for running complex systems with tens to hundreds of microservices at massive scale. End users expect 24/7 availability of services they depend on, so even a few minutes of downtime matters. A proactive chaos engineer helps meet user expectations by identifying bottlenecks, hardening services before downtime occurs in a production environment. Chaos engineering is vital to avoid losing trust with your end users.To help address the need for a resilient Kubernetes platform and provide improved user experiences, Red Hat collaborates with the open source co

On October 11, 2023, The United States Defense Information Systems Agency (DISA) published their Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux (RHEL) 9. A compliance automation profile is now available, reducing the time and complexity necessary to bring systems into compliance.Red Hat’s compliance automation profile for RHEL 9 is aligned with the Version 1, Release 1 (V1R1) of the STIG. Using this profile, organizations can more swiftly increase their systems compliance status by utilizing the scap-security-guide package with its pre-built Ansible Playbooks and

The Center for Internet Security (CIS) released the first version of the CIS Benchmark for Red Hat Enterprise Linux (RHEL) 9 on Nov 28, 2022, providing a set of 255 recommended security controls organized in two different levels for RHEL 9 servers and workstations.CIS Benchmarks for RHEL are created in a collaborative and transparent way in the CIS community, where the active participation of Red Hat engineers contributes to high quality standards aligned to the best practices for RHEL while also bringing value to Fedora and other community Linux distributions. The Red Hat Security Compliance

Trust is something we encounter every day in many different contexts, whether it’s with people, institutions or products. With trust comes vulnerability–an especially uncomfortable concept for those of us primarily concerned with security. No one wants their systems to be vulnerable, but if you really want to understand the security posture of your system, you need to understand what you are trusting and how it could expose you.What is trust?Zero trust is a term that’s getting a lot of buzz, but it can be a bit of a misnomer. It's not so much zero trust, but zero implicit trust. Nothing

Protecting intellectual property and proprietary artificial intelligence (AI) models has become increasingly important in today's business landscape. Unauthorized access can have disastrous consequences with respect to competitiveness, compliance and other vital factors, making it essential to implement leading security measures. Confidential computing is one of these technologies, using hardware-based trusted execution environments (TEEs) to create enclaves with strengthened security postures. These enclaves help protect sensitive data and computations from unauthorized access, even by pr

When designing your CI/CD pipelines, security should not be an afterthought for application development. A comprehensive security approach—from code development to implementation—needs to start at Day 0. According to the State of Software Supply Chain report, there has been a 742% average annual rise in software supply chain attacks over the past three years. A Cost of a Data Breach report found that 20% of data breaches are due to a compromised software supply chain. Possibly as a result, almost 1 in 3 respondents of the State of Kubernetes Security report experienced revenue

Runtime pertains to the active execution of a system, which may encompass infrastructure, applications operating within containers, or local systems. Runtime security refers to the security measures implemented while the application is actively running. This is especially important, as revealed by the State of Kubernetes Security Report 2023, where it was observed that 49% of security incidents pertaining to containers and Kubernetes occurred during the runtime phase. Runtime security tools can help to overcome challenges by providing observability and continuous visibility to security tea

This is the third post in a series of blogs looking at cybersecurity focusing on Critical National Infrastructure (CNI) organizations. This post identifies where Red Hat can help organizations reduce their risk using their technology, training, and services. Enterprise security challenges for CNI organizations: Overview Enterprise security challenges for CNI organizations: People and processes Enterprise security challenges for CNI organizations: Technical solutions How can Red Hat help ? Red Hat provides trusted open source software that helps organizations implement security

Red Hat Product Security is pleased to announce that official Red Hat vulnerability data is now available in a new format called the Vulnerability Exploitability eXchange (VEX). In April 2023, we mentioned in an article titled “The future of Red Hat security data”, that Red Hat was working on providing a new security data format. This new format has been created to replace the old OVAL data format, which we aim to deprecate at the end of 2024. Since February 2023, Red Hat has published Red Hat security advisories (RHSAs) in the CSAF format as an official, recommended authoritative sourc