Red Hat Embraces DevSecOps
When DevOps sped up deployment and update rates to unheard-of speeds. We loved it. When our security blunders accelerated at the same pace, we weren’t so happy. So, DevSecOps was created to bring security into the production cycle’s beginning. Now, at Red Hat Summit in Boston, Linux and cloud power Red Hat is embracing DevOpsSec security throughout its product and service lineup.
Now, if you’re a Linux admin, you already know Red Hat is the leading Linux security company. The first place you look when you hear about a new security bug is the Red Hat Security Center, even if you’re running Debian or Ubuntu. Moving forward, Red Hat is bringing its attention to security and is introducing a software supply chain security pattern across hybrid cloud environments. This means from on-premises to multicloud to the edge and the entire software stack.
Software Supply Chain Security Pattern
How? By delivering via Red Hat OpenShift, complete pattern stacks as code that defines, builds, and tests the necessary software configurations. While only a preview today, this software supply chain security pattern brings together the components you need to build your cloud native applications from trusted components.
It does this by using a Kubernetes-native, continuously-integrated pipeline through Red Hat OpenShift Pipelines and Red Hat OpenShift GitOps. This will let you make software safer while managing version control, helping to reduce complexity and save time.
“IT security isn’t tied to a software edition or an add-on module; it needs to be baked into whatever technology an organization chooses, starting from the operating system foundation to the application level,” said Vincent Danen, vice president, Product Security, Red Hat. “This is Red Hat’s commitment to DevSecOps — making security not something bolted on, but a seamless integral part of moving applications from development to production to assist IT teams, both technically and organically.”
Additionally, through Tekton Chains, the pattern will incorporate Sigstore. This open source project makes cryptographic code-signing easier. Already adopted in Kubernetes 1,24, Sigstore makes it easier for artifacts to be signed in the pipeline itself rather than after application creation. By moving security left, it improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. The sigstore will be free to use by all developers and software providers. This gives software artifacts a safer chain of custody that can be secured and traced back to their source.
Ansible, Cluster Security for Kubernetes
In a related development, with Red Hat Ansible Automation Platform 2.2, Red Hat is introducing a technical preview of Ansible content signing technology. This enables you to validate that the automation content being executed is verified and trusted.
In production, this will be rolled out in Red Hat Advanced Cluster Security for Kubernetes. This will include:
- Automated DevSecOps in the CI/CD pipeline to help protect the software supply chain for edge environments through vulnerability management, application configuration analysis and CI/CD integration
- Threat protection provides threat detection and incident response capabilities at runtime for common threats
- Network segmentation to enforce workload isolation, analyze container communication and detect risky network communication paths
If you’re using Red Hat Enterprise Linux (RHEL), and let’s face it, if you’ve read this far, chances are you’re running RHEL, or one of its close cousins, the new RHEL 9 comes with bigtime security improvements. These include:
Additional key security features in Red Hat Enterprise Linux 9 include:
- Enhanced security around root privileges by disabling root login via SSH by default. This helps to prevent the discovery of root passwords through brute force attacks and improves baseline security postures of an operating environment.
- Support for the latest cryptographic frameworks with the integration of OpenSSL 3. This enables IT teams to enact new ciphers for encrypting and protecting sensitive information.
- Bolstered security best practices by disabling the cryptographically-broken SHA-1 hash function by default for digital signature, driving improved security hygiene.
Put it all together and while most of Red Hat’s DevSecOps are still works-in-progress, the future is looking secure in the Red Hat-based cloud future.