At Red Hat, we strive for transparency with our customers. It is who we are. It is what we do. But transparency in product security can be tricky. We must provide our customers with the information they need to make informed decisions without opening ourselves or them up to attacks. With the uptick in software supply chain attacks over the last couple of years, we have harnessed a particular focus on software supply chain security within our Product Security organization.
SLSA: a framework for software supply chains
There are many frameworks out there, such as the Secure Software Development Framework (SSDF), and other NIST publications helping organizations like ours deliver trustworthy environments during our productization process. The Open Source Security Foundation (OpenSSF), in collaboration with several companies including Red Hat, recently published version 0.1 of a new security framework targeted specifically for software supply chains aligned with SSDF—Supply chain Levels for Software Artifacts (SLSA).
For those who are unfamiliar, SLSA is an OpenSSF framework for measuring the security maturity of a software supply chain. It uses a tiered approach (levels 1-4) to evaluate the security controls of a given software supply chain and specific actions the development organization takes during the productization process.
While the framework is still evolving, this marks an exciting addition to a supply chain-specific guidance. The framework allows our customers to have an organized approach to what they are looking for in supply chain security.
Simply asking for a software bill of materials (SBOM) or code-scanning report is too vague and not encompassing. This framework allows novices and experts alike to understand software supply chain security fundamentals such as source version controls, build hardening and isolation, provenance and signing, and dependency control.
How Red Hat incorporates SLSA controls
At Red Hat, we target controls from a myriad of industry frameworks within our productization process. For SLSA, we are focusing on the requirements to attain levels 3 and 4 throughout our pipelines. SLSA controls will make it easier for developers to know their environments are trustworthy and provide our customers with a framework template to ask questions and better understand our security posture as well as their own.
Many SLSA requirements address practices we have instituted for quite some time, such as scripted builds, version controls, and common requirements. However, an open source community-driven framework in a consumable model, like SLSA, is essential to attestation.
We have created the following mapping to help customers, industry partners, and security novices understand the correlation between SLSA and existing frameworks. We will continue to evaluate the SLSA framework, participate in its evolution, and determine what that means for Red Hat. We appreciate the collaboration that made SLSA what it is today, and we look forward to its progress. For those interested in supply chain security, keep an eye out for what Red Hat has in store.
저자 소개
Emmy Eide started at Red Hat in May 2021, forming then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.