When one major breach technique becomes successful, it’s a sure bet that rapid adoption by threat actors will follow.

This maxim has become more evident following a successful attack on the software supply chain through a breach of SolarWinds Inc. more than one year ago. Software supply chain attacks grew 650% in 2021, according to a report by security provider Sonatype Inc. This was further underscored by the vulnerability recently disclosed in Log4j, a popular Java logging tool.

Red Hat Inc. and theCUBE, SiliconANGLE Media’s livestreaming studio, will tackle these topics and more during the “How to Manage Digital Risk by Securing Your Software Supply Chain” event, airing Feb. 15.

‘Securing Your Software Supply Chain’ event takes aim at reducing digital risk

Vulnerabilities in the open-source supply chain make these issues especially troubling based on the widespread use of software tools. The Sonatype data showed that JavaScript developers downloaded 1.5 trillion open-source packages in 2021. At this scale, the presence of malicious code in just a small percentage of these tools could spread far and wide.

“The power of the supply chain, as an amplifying factor, is starting to get exploited really well by the attackers,” Ben Fischer, emerging security technology advocate at Red Hat Inc., said during an interview with theCUBE, SiliconANGLE Media’s livestreaming studio. “It’s literally exploding in terms of the threats happening in the supply chain attacks. You should be thinking about where software is being downloaded from; there’s lots of sites and lots of ways to get it.”

How organizations can avoid and minimize breaches in an enterprise information technology environment under attack will be the focus of the “How to Manage Digital Risk by Securing Your Software Supply Chain” event on Feb. 15. The event will feature interviews with experts who will discuss where the greatest threats exist, how to think about open source versus commercial software, and ways that organizations can reduce risks going forward. (* Disclosure below.)

Transparency and trust

As described in a blog post by Chris Wright, Red Hat’s senior vice president and chief technology officer, the company’s philosophy around supply chain security is grounded in an “open approach.” Transparency, partnership and trust are the principles behind what it will take to secure the software supply chain.

Using OpenShift Container Platform as the foundation, Red Hat brings together trusted third-party tools and prescriptive workflows for best practices, including test-driven development and continuous integration/continuous deployment.

The objective is to create a virtual “warehouse club” where users can shop for the software tool they need without worrying about where it came from or what it might contain, according to Fischer. It is part of the open-source ethos to foster transparency and openness within the community of enterprise developers.

“In that transparency and collaboration there is a review of all of the code that gets submitted,” Fischer said. “You could download any bit of open-source software that Red Hat sells, and you can run it today. Red Hat plays a role in that we curate that software. We’re trying to pick the best piece of software that we feel we can trust.”

Fostering accountability

In addition to Red Hat’s work to foster trust in the software supply chain, there is a push within the tech community for a software bill of materials, or SBOM. An Executive Order issued by the White House in May called for an SBOM as part of a series of recommendations for securing the supply chain.

More recently, the Linux Foundation released a “State of Software Bill of Materials and Cybersecurity Readiness” report, which found that while 78% of organizations surveyed expect to produce or consume SBOMs in 2022, only 47% are actively using them.

At a minimum, the Linux Foundation report provided an encouraging signal that awareness surrounding SBOMs and the need for software accountability is growing, making Red Hat’s event on Feb. 15 all the more timely.

“Just because you downloaded it from a site, you don’t know who posted it,” Fischer noted. “The SBOM will give you an understanding of who’s accountable, who actually wrote the software or made the patch or submitted the last update to a branch. At some point, you need to know who did this to verify if something is trustworthy.”

Livestream of Red Hat’s ‘Securing Your Software Supply Chain’ event

Red Hat’s “How to Manage Digital Risk by Securing Your Software Supply Chain” event will feature interviews to be broadcast on theCUBE. Add this event to your calendar to watch the event live. Plus, you can watch theCUBE interviews here on demand after the live event.

How to watch theCUBE interviews

We offer you various ways to watch Red Hat’s “How to Manage Digital Risk by Securing Your Software Supply Chain” event, including theCUBE’s dedicated website and YouTube channel. You can also get all the coverage from this year’s events on SiliconANGLE.

TheCUBE Insights podcast

SiliconANGLE also has podcasts available of archived interview sessions, available on iTunes, Stitcher and Spotify, which you can enjoy while on the go.

Guests

During Red Hat’s “How to Manage Digital Risk by Securing Your Software Supply Chain” event, theCUBE will talk with Red Hat’s Vincent Danen, vice president of product security; Luke Hinds, security engineering lead from the Office of the CTO; and Kirsten Newcomer, director of cloud and DevSecOps strategy.

During the livestream, the CUBE will also talk with Red Hat’s Andrea Hall, specialist solution architect and project manager for security and compliance, and Andrew Block, distinguished architect.

Event Update!

Check out our full event coverage, as well as post-event coverage, and watch the complete event video below:

(* Disclosure: TheCUBE is a paid media partner for the“How to Manage Digital Risk by Securing Your Software Supply Chain” event. Neither Red Hat, the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE