Red Hat Inc. is betting that software development organizations will be willing to pay for the lessons it has learned over 30 years of working with open-source software at a time when software supply-chain attacks are proliferating.

At its annual Red Hat Summit conference today, the company is launching Trusted Software Supply Chain, an offering that consists of two new cloud services called Red Hat Trusted Application Pipeline and Red Hat Trusted Content.

Software supply chain attacks occur when malicious code is inserted into software from a trusted provider, typically during the distribution or update process. The problem has gained particular urgency with the rapid adoption of open-source code, which is now found in nearly every software package regardless of license.

A 2022 analysis of more than 2,400 commercial code bases by Synopsys Inc. found that 97% contained open-source components and 81% had at least one vulnerability. Nearly nine in 10 applications included components that had not been updated in more than two years.

‘Few guardrails’

“We live in a world where there are few guardrails; developers can pull content from unverified sources put it in your pipeline, deploy to production and now you have a vulnerability or a potential vulnerability down the line,” said Sarwar Raza, general manager of cloud services at Red Hat.

Noting that supply chain attacks have skyrocketed by more than 740% annually over the past three years, Red Hat said it will provide a catalog of more than 10,000 trusted packages that run on Red Hat Enterprise Linux alone as well as a catalog of critical application runtimes across Java, Node and Python ecosystems.

Trusted Application Pipeline is based on Sigstore, an automated approach to digitally signing and checking software components to verify origins and authenticity that its developers say is nearly impossible to sabotage. The pipeline is a continuous integration/continuous delivery mechanism that simplifies the adoption of the same processes, technologies and expertise that Red Hat uses to build production software.

Customers will be able to use the Trusted Application Pipeline to import git repositories and configure container-native continuous build, test and deployment pipelines via a cloud service, inspect source code and transitive dependencies, automatically generate software bills of materials within builds and verify and promote container images via an enterprise contract policy engine that helps confirm consistency with industry standards like Supply chain Levels for Software Artifacts.

SBOMs are increasingly being used to protect against supply chain attacks and were cited in the Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity as critical to securing software supply chains. The National Institute of Standards and Technology, Food and Drug Administration and several European governments now strongly encourage their use.

Safe catalog

Red Hat Trusted Content, which will be available as a service preview within a few weeks, will provide real-time knowledge of known vulnerabilities and security risks within open-source software dependencies. It will also suggest ways to minimize risk and provide access to Red Hat-built and curated open-source software using the company’s internal best practices.

“We’re basically making explicit the proof points of trust for all of the thousands and thousands of open-source packages, that that you can get from Red Hat today,” Raza said. “We want to be able to provide customers with the added assurance that the bits they’re deploying are, in fact, safe and secure, and if a vulnerability does show up later on, we can point them to the best sources of content and remediation and intelligence to fix those issues.”

In short, the Trusted Supply Chain offering will enable developers “to provide provenance information to your customers about the software you just built the same way that we do at Red Hat,” said Sudhir Prasad, a Red Hat director of product management.

The company believes it is uniquely positioned to deliver on its promise because of its decades of experience, he said. Competitors “don’t necessarily have the established trust and library of content and information about all that content to solve a big problem,” he said.

Managed Kubernetes security

Also in the security realm, Red Hat today is introducing an Advanced Cluster Security Cloud Service that delivers security capabilities native to the Kubernetes software container orchestrator as a managed cloud service. The offering is independent of the underlying Kubernetes platform and can be deployed in minutes, the company said.

It supports Red Hat OpenShift on private and public clouds as well as Kubernetes services across major cloud providers, including Amazon Web Services Inc.’s Elastic Kubernetes Service, Google LLC’s Kubernetes Engine and Microsoft Corp.’s Azure Kubernetes Service.

Developed by container and Kubernetes threat detection company StackRox Inc., which Red Hat acquired two years ago, the service builds Kubernetes-native security into the entire application and platform lifecycle and helps organizations evolve the agile DevSecOps discipline, in which security is integrated into developer tooling and workflows, the company said.

Photo: Pixabay