Red Hat 계정으로 회원 프로필, 기본 설정 및 고객 상태에 따라 다음의 서비스에 액세스할 수 있습니다.
아직 등록하지 않으셨습니까? 등록해야 하는 이유:
- 한 곳에서 기술 자료 문서를 탐색하고, 지원 사례와 서브스크립션을 관리하고, 업데이트를 다운로드 할 수 있습니다.
- 조직 내의 사용자를 보고, 계정 정보, 기본 설정 및 권한을 편집할 수 있습니다.
- Red Hat 자격증을 관리하고 시험 내역을 조회하며 자격증 관련 로고 및 문서를 다운로드할 수 있습니다.
Red Hat 계정으로 회원 프로필, 기본 설정 및 자신의 고객 상태에 따른 기타 서비스에 액세스할 수 있습니다.
보안을 위해, 공용 컴퓨터 사용 중에 Red Hat 서비스 이용이 끝난 경우 로그아웃하는 것을 잊지 마십시오.로그아웃
At Red Hat, we strive for transparency with our customers. It is who we are. It is what we do. But transparency in product security can be tricky. We must provide our customers with the information they need to make informed decisions without opening ourselves or them up to attacks. With the uptick in software supply chain attacks over the last couple of years, we have harnessed a particular focus on software supply chain security within our Product Security organization.
SLSA: a framework for software supply chains
There are many frameworks out there, such as the Secure Software Development Framework (SSDF), and other NIST publications helping organizations like ours deliver trustworthy environments during our productization process. The Open Source Security Foundation (OpenSSF), in collaboration with several companies including Red Hat, recently published version 0.1 of a new security framework targeted specifically for software supply chains aligned with SSDF—Supply chain Levels for Software Artifacts (SLSA).
For those who are unfamiliar, SLSA is an OpenSSF framework for measuring the security maturity of a software supply chain. It uses a tiered approach (levels 1-4) to evaluate the security controls of a given software supply chain and specific actions the development organization takes during the productization process.
While the framework is still evolving, this marks an exciting addition to a supply chain-specific guidance. The framework allows our customers to have an organized approach to what they are looking for in supply chain security.
Simply asking for a software bill of materials (SBOM) or code-scanning report is too vague and not encompassing. This framework allows novices and experts alike to understand software supply chain security fundamentals such as source version controls, build hardening and isolation, provenance and signing, and dependency control.
How Red Hat incorporates SLSA controls
At Red Hat, we target controls from a myriad of industry frameworks within our productization process. For SLSA, we are focusing on the requirements to attain levels 3 and 4 throughout our pipelines. SLSA controls will make it easier for developers to know their environments are trustworthy and provide our customers with a framework template to ask questions and better understand our security posture as well as their own.
Many SLSA requirements address practices we have instituted for quite some time, such as scripted builds, version controls, and common requirements. However, an open source community-driven framework in a consumable model, like SLSA, is essential to attestation.
We have created the following mapping to help customers, industry partners, and security novices understand the correlation between SLSA and existing frameworks. We will continue to evaluate the SLSA framework, participate in its evolution, and determine what that means for Red Hat. We appreciate the collaboration that made SLSA what it is today, and we look forward to its progress. For those interested in supply chain security, keep an eye out for what Red Hat has in store.
About the author
Emmy Eide started at Red Hat in May 2021, forming then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.