Red Hat, a leading provider of open-source solutions, has unveiled enhancements to its trusted software supply chain by introducing new components. The update includes the Red Hat Trusted Application Pipeline and Red Hat Trusted Artifact Signer, aimed at simplifying cryptographic signing and verification of software artifacts. Additionally, the launch encompasses the Red Hat Trusted Profile Analyser, a tool designed to assist development teams in identifying malicious code and assessing potential risks beforehand.
These enhancements are geared towards enabling customers to integrate security measures earlier in the software development life cycle, adhere to industry regulations and compliance standards, and proactively address potential vulnerabilities. This proactive approach aligns with industry trends, with IDC forecasting that 75% of CIOs will integrate cybersecurity measures directly into systems and processes by 2027 to preemptively detect and neutralize vulnerabilities.
Red Hat’s Trusted Software Supply Chain provides software and services to bolster an organization’s resilience against vulnerabilities. This allows organizations to detect and mitigate potential issues early on, empowering them to code, build, deploy, and monitor their software more efficiently using trusted platforms and real-time security scanning and remediation.
Utilizing the open-source Sigstore project as a foundation, the Red Hat Trusted Artifact Signer enhances the trustworthiness of software artifacts within the supply chain. It simplifies the process of cryptographic signing and verification for developers and stakeholders, instilling confidence in the authenticity of software artifacts. Moreover, its identity-based signing via an integration with OpenID Connect eliminates the complexity of managing a centralized key management system.
The Red Hat Trusted Profile Analyser offers visibility and insight into an application’s codebase, enabling organizations to proactively address security issues and vulnerabilities. It serves as an authoritative source for security documentation, including Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX).
The Red Hat Trusted Application Pipeline combines the capabilities of the Trusted Profile Analyser and Trusted Artifact Signer with Red Hat’s enterprise-grade internal developer platform, Red Hat Developer Hub. This provides security-focused software supply chain capabilities integrated into developer self-service templates, standardizing and expediting the onboarding of security-focused protocols to enhance trust and transparency during code development.
The updated suite enables organizations to verify pipeline compliance, ensuring traceability and auditability in the CI/CD process. Suspicious build activity can be halted directly from the CI/CD pipeline, with vulnerability scanning and policy checks preventing progression into production.
The Red Hat Trusted Artifact Signer and Red Hat Trusted Application Pipeline are now available, with the Red Hat Trusted Profile Analyser expected for general release within the quarter.
Sarwar Raza, Vice President and General Manager of the Application Developer Business Unit at Red Hat, emphasized the importance of integrating security capabilities into every phase of the software development life cycle to mitigate evolving security threats.
Jim Mercer, Program Vice President of Software Development, DevOps, and DevSecOps at IDC, praised Red Hat’s commitment to securing open-source software and extending its security diligence to help customers manage their software supply chains.