To help organizations detect vulnerabilities early, SiliconANGLE reports that Red Hat has announced an update to its trusted software supply chain that “allows organizations to move software supply chain security 'left'.” ” is reported. Red Hat announced and touted its trusted software supply chain in May 2023. This is done as a way to address the growing threat of software supply chain attacks. The service protects software pipelines by verifying the origin of software, automating security processes, and providing a secure catalog of verified open source software packages. [Thursday’s updates] It aims to improve customers' ability to embed security into the software development lifecycle, thereby increasing software integrity early in the supply chain while simultaneously adhering to industry regulations and compliance standards. I can. These start with a new tool called Red Hat Trust Artifact Signer.Based on the open source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to cryptographically sign and verify software artifacts without managing central keys, increasing trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source of security documentation such as software bill of materials and Vulnerability Exploitability Exchange. This tool simplifies vulnerability management by allowing you to proactively identify and minimize security threats. The final new release, Red Hat Trusted Application Pipeline, combines the power of Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide an integrated, security-focused development template. This feature is intended to standardize and accelerate the adoption of secure development practices within your organization. Specifically, Red Hat announced that organizations can use the new Trust Application Pipeline feature to “verify pipeline compliance, verify artifact signatures, and create automated trust chains that provide provenance and attestation.” “provides traceability and auditability of CI/CD processes.”
Read more about this article on Slashdot.