The application development world is evolving rapidly and it is critical that your software supply chain maintains a level of security that is up to date with modern practices. Cybersecurity threats are becoming increasingly complex by the day, so organizations need robust, integrated solutions/frameworks in place to support the integrity and security of their software workloads in each phase of the software development lifecycle. To help answer this need, here comes the powerful combination of Jenkins (CI/CD Pipeline), Red Hat Trusted Artifact Signer, and Red Hat Trusted Profile Analyzer – an end-end combination that offers a new way to look at software supply chain security.
The Challenge: A Vulnerable Supply Chain
An organisation’s software supply chain has become the main target for cybercriminals. From exploiting vulnerabilities in open source components to tampering with artifacts in build systems, there are many potential attack vectors and it's very difficult to detect, usually only after the system has been compromised. Traditional security practices, while still relevant, are no longer enough on their own. Organizations need a more comprehensive, tightly integrated framework to address security guardrails at each and every stage of the software development lifecycle.
The Solution: Jenkins + Red Hat Trusted Artifact Signer + Red Hat Trusted Profile Analyzer
By combining Red Hat's latest innovative security tools Red Hat Trusted Artifact Signer and Red Hat Trusted Profile Analyzer with Jenkins, one of the world’s most popular CI/CD pipeline, we can create a software supply chain that maintains higher levels of security and transparency. Let's break down why this combination is so powerful and why you should take it seriously:
1. Automation and Flexibility with Jenkins
Jenkins as a tool for Continuous Integration and Continuous Delivery (CI/CD) has a high customer reputation, community and brand. It offers flexibility and an extensive plugin marketplace making it an ideal tool for building pipelines with stronger security postures. With Jenkins, you can:
- Scale your CI/CD pipeline and resource as the project grows
- Integrate a wide range of tools and services
- Automate build, test, and deployment process
- Customize your pipeline to meet specific/industry standard security requirements
2. Ensuring Artifact Integrity with Red Hat Trusted Artifact Signer
Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries and documents. Based on the open-source Sigstore project, the solution provides:
- Greater authenticity and integrity by increasing trust on artifacts through auditable logs, secure signing mechanisms, and user identity verifications that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.
- Reduced complexity by eliminating the need for maintaining a key management system that mitigates potential tampering with artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.
- Improved compliance by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.
By incorporating Red Hat Trusted Artifact Signer into your Jenkins pipeline, you can have greater confidence that every artifact produced is cryptographically signed and verifiable.
3. Vulnerability Management with Red Hat Trusted Profile Analyzer
Red Hat Trusted Profile Analyzer, part of Red Hat Trusted Software Supply Chain, manages your organization’s SBOMs, vendor VEX and CVE providing developers and DevSecOps teams with analysis of the organization’s risk profile. This analysis includes custom, third party, and open source software, or software components—for a shared system of record without slowing down development or increasing operational complexity. As a productized version of Red Hat's open-source Trustification project, the offering enables you to:
- Build greater trust in your application’s codebase: More quickly access vulnerability fixes and trusted, verified content without deviating your attention from building code. Choose the right dependencies for your source code and verify that possible threats are not left unchecked.
- Get valuable insights and recommendations: Simply identify direct and transitive dependencies, monitor exploitable vulnerabilities, and create an incident response framework to limit security incidents from appearing in your production workloads.
- Save and retrieve your security documentation: More easily share security documentation (SBOM, VEX) for your source code, artifacts, and container images across the organization to help confirm that the right, verified components are used in your application codebase.
By integrating Red Hat Trusted Profile Analyzer into your Jenkins pipeline, you can gain real-time insights into the vulnerabilities in your open source packages and components.
Real-World Impact
The impact of implementing this integrated solution can be significant:
- Reduced Risk: By enhancing the security of your entire supply chain, you can dramatically reduce the risk of successful attacks, protecting your organization's reputation and bottom line.
- Faster Time-to-Market: With stronger security integrated into your CI/CD pipeline, you can catch and address issues earlier, potentially avoiding costly delays later in the development cycle.
- Improved Compliance: The transparency and auditability provided by this solution make it easier to demonstrate compliance with various regulatory standards.
- Enhanced Trust: Customers and partners can verify the integrity and provenance of your software, building trust in your products and services.
- Cost Savings: By catching vulnerabilities early and automating security processes, you can significantly reduce the cost of addressing security issues.
Don't wait for a security breach to highlight the vulnerabilities in your software supply chain. Take steps now to improve the security stance of your software development cycle and better protect your organization while also building trust with your customer base.
For more details on this, follow this learning exercise.