You wouldn’t want to buy the equipment you use to run your business from some sketchy guy dealing in a convenience store parking lot.
That’s what it’s like to use open-source libraries to build enterprise software. Yes, open source is secure as a general rule; public access to code makes it possible for the community to quickly find vulnerabilities. And that community is, on the aggregate, honest. But the increased prevalence and complexity of open-source software in the enterprise provides opportunities for the small, dishonest minority to create big problems.
That’s the problem that Red Hat is addressing with the Red Hat Trusted Software Supply Chain, introduced at the Red Hat Summit Tuesday. The service tracks where open-source components come from and whether they are trustworthy.
“We want to be able to provide customers with the added assurance that the bits they are deploying are, in fact, safe and secure,” Sudhir Prasad, Red Hat director of product management, said during a press Q&A Friday.
A world with few guardrails
Prasad noted “There's a growing dependence on open source. Yet we still live in a world where there are few guardrails and developers can pull content from unverified sources, from public repos, put it into your pipeline, deploy to production, and now you have a vulnerability or a potential for vulnerability down the line.”
The toolset includes two new cloud services: Red Hat Trusted Application Pipeline and Red Hat Trusted Content.
Red Hat faces the same problem Trusted Software Supply Chain is designed to solve. For more than 30 years, Red Hat has been building open-source software, needing to closely monitor the provenance and trustworthiness of the code it’s betting its business on.
Now, 75% of application code bases comprise open-source code, and software supply chain attacks have soared 742% since 2020, Red Hat says. Securing the open-source supply chain used to be a problem for a few niche open-source software vendors; now, it’s everybody’s problem.
Red Hat Trusted Content, available as a service preview in the coming weeks, delivers security-enhanced systems software with provenance and attestation, including thousands of trusted packages in Red Hat Enterprise Linux and a catalog of critical Java, Node and Python application runtimes. It provides information about vulnerabilities and security risks, along with remediations when security vulnerabilities creep in later in the development cycle or in production.
Increasing compliance pressure
Meanwhile, Red Hat Trusted Application Pipeline, available as a service preview today, provides secure Continuous Integration/Continous Delivery (CI/CD) services for containerized Linux applications that can be easily deployed onto Red Hat OpenShift or other Kubernetes platforms, automating manual processes.
The new services join existing Red Hat software and cloud services, including Quay and Advanced Cluster Security, to advance the adoption of DevSecOps practices and embed software into the software development lifecycle, Red Hat said in a statement.
Government entities, including the White House and the National Institute of Standards and Technology (NIST) in the US as well as European governments, are putting pressure on enterprises to secure technology infrastructure, looking specifically at open source and its supply chains and applying compliance requirements.
Red Hat is serving an important need for securing the software supply chain that nobody other than Google, with its Supply-Chain Levels for Software Artifacts (SLSA) is trying to fill, IDC analyst Al Gillen said in an interview. Other vendors are offering point solutions, but Red Hat is complete. And SLSA only works with Google Cloud Platform while the Red Hat software is platform-agnostic.
“For Red Hat to make this move is brilliant,” Gillen said. “They already have a secure supply chain process they built for building Red Hat Enterprise Linux, Ansible and OpenShift. They’ve been using that for years, but they’ve never made it available to customers in this kind of capacity before. This sets the stage for Red Hat to establish itself as a leader in this position. And they have the size and credibility with the open source world to pull this off effectively.”
Red Hat could expand its customer base beyond companies using its software to enterprises using other Linux distributions or deploying software directly on cloud platforms without regard to the underlying Linux distro, Gillen said.