Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Red Hat Software Programming Security

Red Hat Upgrades Its Pipeline-Securing (and Verification-Automating) Tools (siliconangle.com) 11

SiliconANGLE reports that to help organizations detect vulnerabilities earlier, Red Hat has "announced updates to its Trusted Software Supply Chain that enable organizations to shift security 'left' in the software supply chain." Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages. [Thursday's updates] are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards.

They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats.

The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations.

Specifically, Red Hat's announcement says organizations can use their new Trust Application Pipeline feature "to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations."
This discussion has been archived. No new comments can be posted.

Red Hat Upgrades Its Pipeline-Securing (and Verification-Automating) Tools

Comments Filter:
  • by AcidFnTonic ( 791034 ) on Saturday April 20, 2024 @12:25PM (#64410490) Homepage

    I say we call it JiaTan.

  • They would obviously prefer no one ever gets to see their source files, the GPL notwithstanding. So it has to find other ways of marketing product security that don't involve any non Red Hat employees.

    I miss the old Red Hat.

  • This means production workloads can rely on the Rekor public instance, which has a 24/7 oncall rotation supporting it and offers a 99.5% availability SLO for the following API endpoints

    (Rekor README [github.com])

    And that is the key reason to stay far, far away: this system is yet another identity service which happens to be supported by software. Like most identity services, they have carefully constructed it to ensure that the user receives no actual proof of identity. That proof resides on a ledger in some cloud ser

  • Red Hat (and parent company IBM) proudly advocate that white people are evil, does this mean software packages written or maintained by "white" people are untrusted and should be banned? I'm only half joking, as I would not be surprised if they apply their racist views to this part of their work too. For anyone who's interested in Red Hat / IBM and their DEI / CRT / Woke views, just Google "Lunduke Red Hat". Bryan Lunduke can tell you all about this hot mess on YouTube.

Keep up the good work! But please don't ask me to help.

Working...