Red Hat Inc. has continuously worked to ensure its security parameters and approaches remain practical and up to date, from the core app file systems to containerization.
The company is mainly on the front foot with respect to automated deployment and containerized applications through its Red Hat Advanced Cluster Security solution, according to Kirsten Newcomer (pictured, left), director of cloud and DevSecOps strategy at Red Hat.
“So, a Kubernetes-native security solution with the ability to help shift security left for the developers by integrating into the supply chain,” Newcomer said. “It also provides a SecOps perspective for the operations and the security team and feeds information between the two in a closed infinity loop.”
Newcomer and Jim Mercer (pictured, right), research director for DevOps and DevSecOps at IDC, spoke, with theCUBE industry analysts Dave Vellante and Paul Gillin at Red Hat Summit during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed technology acquisitions by Red Hat to bolster its security stack for developers and customers. (* Disclosure below.)
Filling the DevSecOps gap
Strategic acquisitions are at the heart of every successful corporate strategy, even in the enterprise technology space. Companies use these to shore up the technical areas that are perceivably lacking. For Red Hat, one of these acquisitions has been StackRox (which the company renamed Red Hat Advanced Cluster Security).
With a demonstrable track record of tools that are innately able to stop contaminant escapes from the app containers into the mail file systems, Red Hat is further propagating the shift-left security approach. Its deployment will ensure that organizations are able to stop vulnerabilities and security flaws at the earliest stage in development, according to Newcomer.
“In fact, even in the IDE, Red Hat CodeReady Dependency Analytics does that so that the developers are part of the solution and don’t have to wait and get their apps stalled just before it’s ready to go into deployment,” Newcomer explained.
The interplay between software supply chains and open source
IDC is a global market intelligence firm that’s in tune with computing trends, such as security attacks, developer community signals, and the prevalence of open-source software. A large portion of apps developed are predominantly comprised of code sourced elsewhere, presenting its own set of security realities, according to Mercer.
“So I not only have the innovation of my developers, but I can expand that. I can take the innovation to the community and bring that in and do things much quicker,” he added.
Given the fact that circumstances, like the ongoing pandemic, have forced organizations to innovate and transform at a rapid pace, they’ve turned to open source to expedite the process. Thus, the software “bill of materials” is an accounting of the various components that have gone into a piece of software, according to Mercer.
“The bad guys now realize that we’re all taking in a lot of open-source code and they’re saying, ‘Geez, that’s a great way to get myself into applications.‘ If they can infiltrate this one open-source component, it opens the doors to thousands or more applications. So it’s a fast path into the supply chain,” Mercer explained.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Red Hat Summit event:
(* Disclosure: TheCUBE is a paid media partner for Red Hat Summit. Neither Red Hat Inc., the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)