Red Hat Summit
Overview
Red Hat Product Security works with our engineering teams to promote secure software development, enabling high-quality software which meets our customers’ business needs and government/compliance requirements. Red Hat’s secure development lifecycle and approach directly aligns with industry frameworks and requirements such as NIST SSDF, SLSA, and SP-800-218, as well as guidance from OWASP and ISO standards.
Red Hat effectively manages software security by establishing secure software development practices, which are used by the engineering teams to reduce vulnerabilities in released software, harden the software supply chain to minimize threat opportunities, mitigate the potential impact of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.
For more details, see:
Security testing in Red Hat's SDL
As part of the secure development lifecycle (SDL), Red Hat uses both manual and automated techniques to scan and test our source code, including threat modeling, penetration testing and static and dynamic code analysis (SAST, DAST).
Structured testing includes automated testing, manual testing, testing of vulnerabilities, and regression testing. Select software undergoes more rigorous security testing beyond this, depending on the compliance framework or certification applicable.
All discovered issues are tracked and prioritized by product management with guidance from Red Hat Product Security. Because our code is Open Source, customers can also access the source code to conduct their own validations.
Security assessments on the software supply chain are also critical to Red Hat’s SDL work. We closely monitor, harden, and patch the systems in our software supply chain, aligning with industry best practices.
Software supply chain security assurance at Red Hat: A partnership process model
Red Hat's core values of freedom, accountability, courage, and commitment are at the center of our processes and interactions with each other and our customers. In Product Security at Red Hat, we apply this open approach to create a Product Security Partnership to facilitate collaboration on security issues directly related to the software supply chain.
In the Product Pipeline Partnership Security Program, we have a baked-in business process to address security issues, both proactively and reactively. We identify key contact points and escalation paths, foster cross-functional business relationships, and ensure workstream priorities are unambiguous.
With a clear process outlined and key people identified, engagement and awareness increase across the supply chain. This leads to a more efficient security response to supply chain issues while creating a sense of collaboration and partnership across an organization. By using this collaborative model, security can focus on increasingly proactive activities in the supply chain while shifting the perception of security from blockers to partners.
