Software security at Red Hat isn’t a feature or an add-on; it’s something that we approach at a fundamental level, both in the upstream community and in downstream productization. Starting with the release of Red Hat Enterprise Linux more than a decade ago, Red Hat Product Security leads the line to help deliver the certified, signed, supported versions of the open source solutions that comprise the Red Hat value chain.
We provide deployment-ready code at launch, including robust security features. In addition, our security experts proactively monitor, analyze and test for security flaws across the entire lifecycles of our products. The results of their work is then provided via relevant advice and updates through the Red Hat Customer Portal. Customers can call on this expertise for swift responses to software security issues that matter, while avoiding being caught up in a media whirlwind for those that don’t.
Our software security tools and practices don’t remain static, and we seek continuous improvement of our own information-gathering and software security practices. To this end, we have recently announced two key additions to our Product Security practices.
For many years, Red Hat has published a CVSS, or Common Vulnerability Scoring System, score along with our own impact rating for security flaws affecting Red Hat products. CVSS provides a numeric score (0.0 to 10.0) to help rate and show the urgency in which newly-announced vulnerabilities should be patched.
In a blog post last week, we announced that Red Hat has adopted version 3 (v3) of CVSS, which gives a security practitioner better dials and adjustments to get a more accurate representation of a risk presented by a software flaw. Under previous versions, it was challenging to express how software was vulnerable when the underlying host/operating system was only partially/minimally impacted. The latest version improves upon this by scoring vulnerabilities that exist in one software component but impact separate software, hardware or networking technologies.
While Red Hat doesn’t rely solely on CVSS (we use it as a guideline alongside our own vulnerability rating system), the improvements upon the scoring system with CVSSv3 are certainly needed and should provide one more piece of information to help Red Hat customers determine the impact and severity of a given flaw on their critical systems.
Security Data API
For more than 11 years, Red Hat has provided vulnerability and software security-related information to customers and users via our Security Data page. While useful (and at times critical) to our customers, to effectively use the data required multiple, large file downloads. A parser was also needed to consume the data and, if you were looking for certain criteria within the data, you had to build that criteria into your parser, adding more complexity to an already complex process.
To help streamline and make this entire process more efficient, we have launched our Security Data API service. While this does not remove the need for a parser (you need something to handle the provided data), it offers many new search options, enabling end users to leverage the API for real time data.
So what can you obtain with the Red Hat’s Security Data API?
CVE information for affected components in Red Hat supported products
Common Vulnerability Reporting Framework (CVRF) documents
Open Vulnerability Assessment Language (OVAL) definitions that can be used to analyze systems for the presence of the vulnerability
Additionally, all of this data is provided in JSON format for easier parsing as well as XML, making it easier to consume this critical information in multiple ways. Currently in beta, the API is available for anyone to use.
We strongly believe that the addition of CVSSv3 scoring and our Security Data API service can greatly help our customers gain more information and more insight into the security status of their critical systems. Additionally, we have also conducted an internal assessment of our responses to vulnerabilities in Red Hat software. The results indicate Red Hat’s overall responsiveness to security issues, showing that:
In 2015, 99 percent of Critical vulnerabilities in Red Hat products were addressed within a week of the issue being public.
In 2015, 96 percent of the Critical issues found in Red Hat Enterprise Linux had updates available the same or next day after the issue was public.
This data, along with the new additions to our reporting toolbox, show our continued commitment to innovation and provide a high quality of security service to our customers. Red Hat’s software security model and our dedicated Product Security team remain powerful and relevant assets for Red Hat customers, the open source community and enterprise IT, offering a clear example of how to do open source security correctly and effectively.