Product security is the foundation of our software delivery at Red Hat. Developing open source is extraordinary, and we strive for the best standards since our code is open. While this is a broad subject, my focus is secure development, specifically from the supply chain perspective.
Security as a culture
As an engineer on the Supply Chain team, the more I dive into software development, the more I have come to understand that security is a culture. It requires collective involvement from everyone in the organization.
When you create code, you play a role in contributing to your organization's culture.
Securing your code from the beginning means hardening your technology before starting a single line of code. One way to test secure architecture and code is through threat modeling—a core activity that should be implemented in the early design stages that builds trusted platforms with significant value. It’s a fundamental practice that helps to identify flaws before your code becomes a reality.
This is a simple yet powerful example that expands the concept of security beyond the code. Creating this mindset enables security at the core of your development process, which helps to identify and map weaknesses, clarifies the roadmap and points in the direction of what needs to be fortified. Being immersed in security as a culture can help you express your code in a way that reflects your corporate ideals.
Secure development best practices
I compare secure development with martial arts. Why? Because, like some martial arts, secure development requires “study, learning, practice, and constant devotion and patience to a master.” Adopting best practices in secure development is fundamental and must become part of your lifecycle. Following this holistic idea, we have the SSDF(Secure Software Development Framework), a set of security-focused and evolving software development practices. Adopting these practices ensures you keep your skills sharp and honed.
The Concise Guide for Developing More Secure Software from the OpenSSF is another list to reference these practices. This guide is part of the Best Practices for Open Source Developers project. It covers an extensive security checklist: ensuring privileges, choosing protected memory languages, improving package management and dependencies, improving code review rules, adding signatures and other insights that may help you build and distribute more secure open source software. This initiative includes earning badges as part of the OpenSSF Best Practices Badge Program. The OpenSSF also has the OpenSSF Secure Software Development Fundamentals, a set of courses designed to jump-start your knowledge in secure development.
Creating a well-defined vulnerability management process enables feedback collection and gap identification, which helps the secure development lifecycle to evolve.
A supply chain perspective
A software supply chain attack can happen when there is a compromise in artifacts, materials or processes used to create software. Supply chain security relies on securing software components and dependencies early in the software development lifecycle, as well as the attestation and validation of each of those processes, to create trusted products and packages that businesses and customers can rely on.
There is an ongoing and growing effort to create best practices and tools to aid the industry in improving risk mitigation against attacks. Some keys to securing software development in the supply chain are recurring themes throughout the best practice recommendations from the CNCF Software Supply Chain Best Practices. As tooling and guides evolve, the supply chain's best practices continue mentioning automation to simplify the process and avoid human errors. We see efforts such as the Supply chain Levels for Software Artifacts (SLSA) on the horizon.
SLSA is a security framework that can help automate your development pipeline to improve the supply chain security maturity, helping your source code have higher integrity and tampering avoidance. SLSA currently has four levels of compliance that can be achieved, with level four being the highest. When implementing the SLSA framework for your project and generating the automated provenance, you will be exposed to more tools, such as sigstore cosign. Sigstore exposes your sources to a signing process that helps in attestation and verification in an automated form.
These guidelines and tools are part of the starting point for securing development from the supply chain perspective.
Conclusion
Secure development is a constantly evolving practice, and it’s better applied as part of the organization's culture. Security best practices can take the development lifecycle to another level, and exploring this will inevitably challenge developers, designers, and architects.
Like a constantly improving martial art, supply chain security brings to the security floor the quest for achieving even more integrity and trustworthy results in software development and delivery. Empowered by the open source communities, new guidelines and tools are appearing to help improve supply chains across the industry.
While seeking excellence in this area, organizations, developers, and communities can count on open source projects, tools, and guidelines to quickly evolve and achieve a constantly improving secure software development lifecycle.
Learn more
À propos de l'auteur
Igor Brandao is a life-long learner who enjoys having a deep understanding of the internal workings of any system, network or electronic device. Brandao has 22+ years of experience in the IT field, with a focus on information security and open source technologies.
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit