At Red Hat, we strive for transparency with our customers. It is who we are. It is what we do. But transparency in product security can be tricky. We must provide our customers with the information they need to make informed decisions without opening ourselves or them up to attacks. With the uptick in software supply chain attacks over the last couple of years, we have harnessed a particular focus on software supply chain security within our Product Security organization.
SLSA: a framework for software supply chains
There are many frameworks out there, such as the Secure Software Development Framework (SSDF), and other NIST publications helping organizations like ours deliver trustworthy environments during our productization process. The Open Source Security Foundation (OpenSSF), in collaboration with several companies including Red Hat, recently published version 0.1 of a new security framework targeted specifically for software supply chains aligned with SSDF—Supply chain Levels for Software Artifacts (SLSA).
For those who are unfamiliar, SLSA is an OpenSSF framework for measuring the security maturity of a software supply chain. It uses a tiered approach (levels 1-4) to evaluate the security controls of a given software supply chain and specific actions the development organization takes during the productization process.
While the framework is still evolving, this marks an exciting addition to a supply chain-specific guidance. The framework allows our customers to have an organized approach to what they are looking for in supply chain security.
Simply asking for a software bill of materials (SBOM) or code-scanning report is too vague and not encompassing. This framework allows novices and experts alike to understand software supply chain security fundamentals such as source version controls, build hardening and isolation, provenance and signing, and dependency control.
How Red Hat incorporates SLSA controls
At Red Hat, we target controls from a myriad of industry frameworks within our productization process. For SLSA, we are focusing on the requirements to attain levels 3 and 4 throughout our pipelines. SLSA controls will make it easier for developers to know their environments are trustworthy and provide our customers with a framework template to ask questions and better understand our security posture as well as their own.
Many SLSA requirements address practices we have instituted for quite some time, such as scripted builds, version controls, and common requirements. However, an open source community-driven framework in a consumable model, like SLSA, is essential to attestation.
We have created the following mapping to help customers, industry partners, and security novices understand the correlation between SLSA and existing frameworks. We will continue to evaluate the SLSA framework, participate in its evolution, and determine what that means for Red Hat. We appreciate the collaboration that made SLSA what it is today, and we look forward to its progress. For those interested in supply chain security, keep an eye out for what Red Hat has in store.
執筆者紹介
Emmy Eide started at Red Hat in May 2021, forming then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit