Red Hat Trusted Software Supply Chain enhances an organization’s resilience to vulnerabilities

Red Hat announced Red Hat Trusted Software Supply Chain, a comprehensive solution that enhances resilience to software supply chain vulnerabilities.

As part of this solution, two new cloud services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, join existing Red Hat software and cloud services including Quay and Advanced Cluster Security (ACS) to advance the successful adoption of DevSecOps practices, and embed security into every stage of the software development lifecycle.

With Red Hat Trusted Software Supply Chain, customers can more quickly and efficiently code, build and monitor their software using proven platforms, certified content and real-time security scanning and remediation.

The solution builds on Red Hat’s 30+ years of customer and industry trust, earned by consistently delivering hardened open source solutions that make it easier for enterprises to accelerate hybrid cloud adoption while still retaining an effective IT security posture.

Red Hat trusted software supply chain

With 75% of application code bases now consisting of open source code, regulators and government agencies are putting these components under greater scrutiny, especially as software supply chain attacks have soared 742% since 2020. To help mitigate these risks, customers seek to integrate guardrails into their software supply chain and development life cycles to accelerate innovation without compromising security.

The software and services delivered as part of Red Hat Trusted Software Supply Chain enhance an organization’s resilience to vulnerabilities across every stage of the modern software development lifecycle.

Red Hat Trusted Content builds on a foundation of security-enhanced systems software, with over 10,000 trusted packages in Red Hat Enterprise Linux alone as well as a catalog of critical application runtimes across Java, Node and Python ecosystems. The service intends to provide customers with the largest trusted content library in the industry.

The basis for Red Hat Trusted Application Pipeline comes from Red Hat’s foundational work in the creation, launch and maintenance of sigstore, which provides a freely-available standard for cloud-native secure signing, as well as providing critical pieces of shared security infrastructure to many upstream communities.

Trusted Application Pipeline offers a security-forward Continuous Integration/Continuous Delivery (CI/CD) service that simplifies the adoption of the processes, technologies and expertise that Red Hat uses to build production software.

Bridging software innovation with source code security

Available as a service preview in the coming weeks, Red Hat Trusted Content will provide developers with real-time knowledge of known vulnerabilities and security risks within their open source software dependencies. The service will also suggest possible remediations to minimize risks, helping to reduce development time and cost.

Red Hat Trusted Content provides access to Red Hat-built and -curated open source software content, with full provenance and attestation, using Red Hat’s internal best practices to meet regulatory and compliance requirements.

Post-development, the service proactively monitors and alerts users of new and emerging risks in their open source dependencies, allowing for quicker remediation of emerging threats.

Red Hat Trusted Application Pipeline, available as a service preview now, helps customers enhance the security of application software supply chains with an integrated CI/CD pipeline. Applications can be more securely built and more easily integrated into Linux containers and then deployed onto Red Hat OpenShift or other Kubernetes platforms with just a few clicks.

Previously, this was frequently a highly-manual process, with hundreds of lines of automation code required for building, testing and deploying containerized applications. This introduces potential for friction and human error, adding new risk points and slowing overall velocity.

With Red Hat Trusted Application Pipeline, Red Hat customers can:

• Import git repositories and configure container-native continuous build, test, and deployment pipelines via a cloud service in just a few steps.
• Inspect source code and transitive dependencies
• Auto-generate Software Bill of Materials (SBOMs) within builds
• Verify and promote container images via an enterprise contract policy engine that helps confirm consistency with industry standards like Supply chain Levels for Software Artifacts (SLSA).

“IT organizations can no longer be concerned solely with creating production applications. They also need to enhance the security of the components that actually make up the final product. Verifying the provenance of open source components, along with continually scanning both the code moving through delivery pipelines and the delivery pipelines themselves, along with enforcing robust development and delivery practices, can be a significant challenge for CIOs, said Sarwar Raza, VP and GM, Cloud Services, Red Hat.

“Red Hat Trusted Software Supply Chain is designed to remedy these needs by codifying Red Hat’s decades of experience in open source software supply chains into easily-integrated and easily-consumed services, helping to not only build trust around production applications but also bring them to market more quickly,” concluded Raza.

“Supply chain security is one of the most important priorities facing enterprise IT organizations today, especially as more and more business-critical systems and applications incorporate or leverage open source artifacts. Red Hat Trusted Software Supply Chain Security builds on top of Red Hat’s longstanding internal supply chain pipelines and processes, and is a major step forward for the industry when it comes to building secure modern applications,” said Al Gillen, group VP, Development and Open Source, IDC.

“Equally important, this product opens up Red Hat’s solution set to the developer community beyond the existing Red Hat ecosystem, meaning every modern application developer – not just RHEL developers – can benefit from this solution,” added Gillen.