Red Hat Adds Developer Tools to Extend DevSecOps Reach
Red Hat today expanded its DevSecOps portfolio for building more secure cloud-native applications by adding three tools for developers.
The first of these additions to the Red Hat Trusted Software Supply Chain is the Red Hat Trusted Artifact Signer, a tool based on the open source Sigstore project that cryptographically adds signatures to code that is now being advanced under the auspices of the Open Source Security Foundation. Red Hat Trusted Profile Analyzer is a tool for managing and analyzing the composition of software assets and documentation of custom, third party and open source software that can be used to, for example, automatically generate a software bill of materials (SBOM).
Additionally, a Red Hat Trusted Application Pipeline offering combines the capabilities of Red Hat Trusted Profile Analyzer and Red Hat Trusted Artifact Signer with Red Hat Developer Hub, an internal developer platform based on open source Backstage software originally developed by Spotify, to provide developers with a set of templates and guardrails for building secure applications.
Red Hat Trusted Artifact Signer and Red Hat Trusted Application Pipeline are generally available. Red Hat Trusted Profile Analyzer is available in tech preview, with general availability expected this quarter. The existing elements of the Red Hat Trusted Software Supply Chain portfolio include Red Hat Trusted Application Pipeline, Red Hat Trusted Content, Red Hat Advanced Cluster Security and Quay, an open source registry.
Sudhir Prasad, director of product management for Red Hat Trusted Software Supply Chain, said the goal is to extend the DevSecOps capabilities Red Hat currently provides to secure applications after they are deployed further left toward developers as they build cloud-native applications. 
It’s not clear to what degree application development teams are embracing DevSecOps but as they transition to building applications using containers it creates an opportunity to modernize legacy DevOps workflows, noted Prasad. It’s not likely organizations will replace their existing continuous integration/continuous delivery (CI/CD) platforms to implement best DevSecOps practices so it’s important to meet them where they are in terms of maturity by making available tools they can easily integrate into existing workflows, said Prasad.
For example, Red Hat Trusted Artifact Signer makes it simpler to sign and verify the artifacts using a keyless certificate authority that is integrated with OpenID Connect authentication framework. That approach eliminates the need to manage a centralized key management system.
One way or another, software supply chains are about to become more secure. The European Union (EU) has already defined a set of requirements for securing software supply chains within the Cyber Resilience Act. The U.S., meanwhile, has, via an executive order issued by the Biden administration, required Federal agencies to lock down their software supply chains. It’s only a matter of time before more stringent regulations are also applied by U.S. regulatory agencies to organizations building and deploying software in the private sector.
The challenge, as always, is finding a way to achieve that goal without unduly slowing down the pace at which modern cloud-native applications need to be built and deployed in an era where organizations have never been more dependent on software.
