订阅内容

Product security is the foundation of our software delivery at Red Hat. Developing open source is extraordinary, and we strive for the best standards since our code is open. While this is a broad subject, my focus is secure development, specifically from the supply chain perspective. 

Security as a culture

As an engineer on the Supply Chain team, the more I dive into software development, the more I have come to understand that security is a culture. It requires collective involvement from everyone in the organization. 

When you create code, you play a role in contributing to your organization's culture.

Securing your code from the beginning means hardening your technology before starting a single line of code. One way to test secure architecture and code is through threat modeling—a core activity that should be implemented in the early design stages that builds trusted platforms with significant value. It’s a fundamental practice that helps to identify flaws before your code becomes a reality. 

This is a simple yet powerful example that expands the concept of security beyond the code. Creating this mindset enables security at the core of your development process, which helps to identify and map weaknesses, clarifies the roadmap and points in the direction of what needs to be fortified. Being immersed in security as a culture can help you express your code in a way that reflects your corporate ideals. 

Secure development best practices

I compare secure development with martial arts. Why? Because, like some martial arts, secure development requires “study, learning, practice, and constant devotion and patience to a master.” Adopting best practices in secure development is fundamental and must become part of your lifecycle. Following this holistic idea, we have the SSDF(Secure Software Development Framework), a set of security-focused and evolving software development practices. Adopting these practices ensures you keep your skills sharp and honed.

The Concise Guide for Developing More Secure Software from the OpenSSF is another list to reference these practices. This guide is part of the Best Practices for Open Source Developers project. It covers an extensive security checklist: ensuring privileges, choosing protected memory languages, improving package management and dependencies, improving code review rules, adding signatures and other insights that may help you build and distribute more secure open source software. This initiative includes earning badges as part of the OpenSSF Best Practices Badge Program. The OpenSSF also has the OpenSSF Secure Software Development Fundamentals, a set of courses designed to jump-start your knowledge in secure development.

Creating a well-defined vulnerability management process enables feedback collection and gap identification, which helps the secure development lifecycle to evolve.

A supply chain perspective

A software supply chain attack can happen when there is a compromise in artifacts, materials or processes used to create software. Supply chain security relies on securing software components and dependencies early in the software development lifecycle, as well as the attestation and validation of each of those processes, to create trusted products and packages that businesses and customers can rely on.

There is an ongoing and growing effort to create best practices and tools to aid the industry in improving risk mitigation against attacks. Some keys to securing software development in the supply chain are recurring themes throughout the best practice recommendations from the CNCF Software Supply Chain Best Practices. As tooling and guides evolve, the supply chain's best practices continue mentioning automation to simplify the process and avoid human errors. We see efforts such as the Supply chain Levels for Software Artifacts (SLSA) on the horizon.

SLSA is a security framework that can help automate your development pipeline to improve the supply chain security maturity, helping your source code have higher integrity and tampering avoidance. SLSA currently has four levels of compliance that can be achieved, with level four being the highest. When implementing the SLSA framework for your project and generating the automated provenance, you will be exposed to more tools, such as sigstore cosign. Sigstore exposes your sources to a signing process that helps in attestation and verification in an automated form.

These guidelines and tools are part of the starting point for securing development from the supply chain perspective.

Conclusion

Secure development is a constantly evolving practice, and it’s better applied as part of the organization's culture. Security best practices can take the development lifecycle to another level, and exploring this will inevitably challenge developers, designers, and architects. 

Like a constantly improving martial art, supply chain security brings to the security floor the quest for achieving even more integrity and trustworthy results in software development and delivery. Empowered by the open source communities, new guidelines and tools are appearing to help improve supply chains across the industry. 

While seeking excellence in this area, organizations, developers, and communities can count on open source projects, tools, and guidelines to quickly evolve and achieve a constantly improving secure software development lifecycle.

Learn more


关于作者

Igor Brandao is a life-long learner who enjoys having a deep understanding of the internal workings of any system, network or electronic device. Brandao has 22+ years of experience in the IT field, with a focus on information security and open source technologies.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事