Suscríbase al feed

At Red Hat, we strive for transparency with our customers. It is who we are. It is what we do. But transparency in product security can be tricky. We must provide our customers with the information they need to make informed decisions without opening ourselves or them up to attacks. With the uptick in software supply chain attacks over the last couple of years, we have harnessed a particular focus on software supply chain security within our Product Security organization.

SLSA: a framework for software supply chains

There are many frameworks out there, such as the Secure Software Development Framework (SSDF), and other NIST publications helping organizations like ours deliver trustworthy environments during our productization process. The Open Source Security Foundation (OpenSSF), in collaboration with several companies including Red Hat, recently published version 0.1 of a new security framework targeted specifically for software supply chains aligned with SSDF—Supply chain Levels for Software Artifacts (SLSA). 

For those who are unfamiliar, SLSA is an OpenSSF framework for measuring the security maturity of a software supply chain. It uses a tiered approach (levels 1-4) to evaluate the security controls of a given software supply chain and specific actions the development organization takes during the productization process. 

While the framework is still evolving, this marks an exciting addition to a supply chain-specific guidance. The framework allows our customers to have an organized approach to what they are looking for in supply chain security. 

Simply asking for a software bill of materials (SBOM) or code-scanning report is too vague and not encompassing. This framework allows novices and experts alike to understand software supply chain security fundamentals such as source version controls, build hardening and isolation, provenance and signing, and dependency control. 

How Red Hat incorporates SLSA controls

At Red Hat, we target controls from a myriad of industry frameworks within our productization process. For SLSA, we are focusing on the requirements to attain levels 3 and 4 throughout our pipelines. SLSA controls will make it easier for developers to know their environments are trustworthy and provide our customers with a framework template to ask questions and better understand our security posture as well as their own. 

Many SLSA requirements address practices we have instituted for quite some time, such as scripted builds, version controls, and common requirements. However, an open source community-driven framework in a consumable model, like SLSA, is essential to attestation.

We have created the following mapping to help customers, industry partners, and security novices understand the correlation between SLSA and existing frameworks. We will continue to evaluate the SLSA framework, participate in its evolution, and determine what that means for Red Hat. We appreciate the collaboration that made SLSA what it is today, and we look forward to its progress. For those interested in supply chain security, keep an eye out for what Red Hat has in store.


Sobre el autor

Emmy Eide started at Red Hat in May 2021, forming then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Navegar por canal

automation icon

Automatización

Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos

AI icon

Inteligencia artificial

Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar

open hybrid cloud icon

Nube híbrida abierta

Vea como construimos un futuro flexible con la nube híbrida

security icon

Seguridad

Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías

edge icon

Edge computing

Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge

Infrastructure icon

Infraestructura

Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo

application development icon

Aplicaciones

Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones

Original series icon

Programas originales

Vea historias divertidas de creadores y líderes en tecnología empresarial