피드 구독

At Red Hat, we strive for transparency with our customers. It is who we are. It is what we do. But transparency in product security can be tricky. We must provide our customers with the information they need to make informed decisions without opening ourselves or them up to attacks. With the uptick in software supply chain attacks over the last couple of years, we have harnessed a particular focus on software supply chain security within our Product Security organization.

SLSA: a framework for software supply chains

There are many frameworks out there, such as the Secure Software Development Framework (SSDF), and other NIST publications helping organizations like ours deliver trustworthy environments during our productization process. The Open Source Security Foundation (OpenSSF), in collaboration with several companies including Red Hat, recently published version 0.1 of a new security framework targeted specifically for software supply chains aligned with SSDF—Supply chain Levels for Software Artifacts (SLSA). 

For those who are unfamiliar, SLSA is an OpenSSF framework for measuring the security maturity of a software supply chain. It uses a tiered approach (levels 1-4) to evaluate the security controls of a given software supply chain and specific actions the development organization takes during the productization process. 

While the framework is still evolving, this marks an exciting addition to a supply chain-specific guidance. The framework allows our customers to have an organized approach to what they are looking for in supply chain security. 

Simply asking for a software bill of materials (SBOM) or code-scanning report is too vague and not encompassing. This framework allows novices and experts alike to understand software supply chain security fundamentals such as source version controls, build hardening and isolation, provenance and signing, and dependency control. 

How Red Hat incorporates SLSA controls

At Red Hat, we target controls from a myriad of industry frameworks within our productization process. For SLSA, we are focusing on the requirements to attain levels 3 and 4 throughout our pipelines. SLSA controls will make it easier for developers to know their environments are trustworthy and provide our customers with a framework template to ask questions and better understand our security posture as well as their own. 

Many SLSA requirements address practices we have instituted for quite some time, such as scripted builds, version controls, and common requirements. However, an open source community-driven framework in a consumable model, like SLSA, is essential to attestation.

We have created the following mapping to help customers, industry partners, and security novices understand the correlation between SLSA and existing frameworks. We will continue to evaluate the SLSA framework, participate in its evolution, and determine what that means for Red Hat. We appreciate the collaboration that made SLSA what it is today, and we look forward to its progress. For those interested in supply chain security, keep an eye out for what Red Hat has in store.


저자 소개

Emmy Eide started at Red Hat in May 2021, forming then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리