Red Hat Strengthens DevSecOps for OpenShift Platform
Red Hat today made available a preview of patterns for the Red Hat OpenShift platform that promise to make it simpler to secure software supply chains.
The patterns, announced at the Red Hat Summit 2022 event, make use of Red Hat OpenShift Pipelines and Red Hat OpenShift GitOps for version control and Tekton Chains to take advantage of sigstore, an open source project aimed at making cryptographic signing of code more accessible. That approach makes it easier for artifacts to be signed in the pipeline as they are added to a DevOps workflow.
The patterns also complement an update to the Red Hat Ansible Automation Platform that adds a technical preview of content signing technology. In addition, a range of security technologies have been added to Red Hat Enterprise Linux (RHEL) 9 that include enhanced security around root privileges by disabling root login via SSH by default and support for the latest cryptographic frameworks via integration with OpenSSL 3.
RHEL 9 lays the foundation for runtime integrity verification of the operating system and application files by providing file digital signatures within RPM packages. It uses integrity measurement architecture (IMA) at the kernel level to verify individual files and their provenance. IMA file verification can detect both accidental and malicious modifications to systems.
Additionally, Red Hat and IBM Research are collaborating to expand the core security aspects of the Linux kernel by adding, for example, an ability to sign and verify elliptic curve digital signatures.
Kirsten Newcomer, director of cloud and DevSecOps strategy for Red Hat, says the goal is to make it easier to define, build and test the software configurations required to create and deploy cloud-native applications based on trusted components.
While there are plenty of container security issues that organizations need to address, applications built using containers are generally more secure than monolithic applications; it is easier to rip and replace a vulnerable container than it is to patch a monolithic application. However, cybercriminals have begun to expand their efforts to compromise the platforms used to build applications as part of an effort to inject malware before apps are even deployed.
Red Hat is moving to better secure Red Hat OpenShift to prevent applications from being compromised as they are being developed, said Newcomer. For example, Red Hat already makes available a Red Hat Advanced Cluster Security for Kubernetes solution to detect threats and enforce network segmentation across a cluster.
It’s not clear to what degree IT teams will be upgrading software supply chain components to improve security, but in the wake of a series of high-profile breaches, focus on the issue has intensified. In addition to shifting more responsibility for application security left toward developers as part of a set of DevSecOps best practices, IT teams are realizing the need for more automated guardrails incorporated within application development platforms to ensure security.
Naturally, it may take a while for IT organizations to master all the nuances of DevSecOps workflows, but at the very least, the tools required to achieve that goal are starting to fall into place.