Security in the Red Hat product pathway

Red Hat’s commitment to prioritizing security and compliance draws from our open source security principles applied throughout the entire product pathway. This article provides the description for the controls implemented in each phase.

The product pathway follows a phased approach that applies specific controls. Applying the controls in each phase from start to finish is the process that is essential for satisfying engineering requirements that meet regulations and standards in the security industry.

The security principles incorporate the following phases:

• Planning
• Design
• Development
• Testing
• Release
• Maintenance

The planning phase involves reporting compliance, security initiatives, and training. This includes collaboration with others in the security industry.

• Compliance activities - For nearly two decades, Red Hat has been helping public and private entities adapt to changing IT security requirements and concerns by achieving a wide range of security validations for our products in global markets and by providing actionable information for organizations to improve their system security footprint.

  • Red Hat supports our customers with the necessary tools and guidance to implement and achieve sensitive computing requirements compliance and IT systems security.

• Government standards- Red Hat works to align with industry regulatory requirements and best practices by achieving a wide range of cybersecurity validations for our products and by providing actionable information for organizations to improve their system security footprint.
• Industry collaboration - Red Hat works with the security industry to help with the development and implementation of best security practices. For example, Red Hat is a consistent participant in the Open Source Security Foundation (OpenSSF). Red Hat also releases product security tools upstream so that the whole community can benefit. For example, OpenLCS, OSIDB, and RapiDAST are all security tools that Red Hat has developed and made freely available.
• Secure training - Product Security helps to verify that Red Hat associates understand their responsibilities and roles in the productization of software and services, providing meaningful role-based security training for all levels.

The design phase provides information regarding Red Hat’s security practices.

• Software composition analysis (SCA)/SBOM design- Red Hat uses software composition analysis (SCA) to thoroughly understand how open-source software is built before it is introduced into the Red Hat productization pipeline.
• Threat Modeling - Red Hat performs threat modeling during design and development as part of its SDL practices. Threat modeling is used to identify and rate potential threats to software together with the systems for which the software is designed.

The development phase provides information regarding the security measures taken during the development process.

• Code audits- Red Hat Product Security Architects perform security audits of software code and functionality where required.
• Malware scans - Malware detection is integrated into the Red Hat productization pipeline, as well as in our software and services release mechanism, helping to make sure that the artifacts shipped to our customers are malware free.
• Static Application Security Testing (SAST)- Static Application Security Testing (SAST) tools are used during development to review the software's source code for weaknesses that may have been introduced during the development of the product.
• Secure pipeline- Red Hat's productization pipeline (build software, services, tools, and infrastructure) is strictly controlled against tampering and unauthorized access.

The training phase provides information regarding Red Hat’s security testing processes.

• Dynamic Application Security Testing (DAST)- Red Hat uses Dynamic Application Security Testing (DAST) during testing to see how the software behaves within a system environment. DAST can identify runtime and environment-related issues, such as misconfiguration, which are difficult to detect in source code. This allows the discovery of exploitable vulnerabilities which can occur when the system is live.
• Pentesting - Red Hat's Penetration Testing Framework, using both manual inspection and automated testing, is built specifically for Red Hat products and services. The framework allows Red Hat to identify possible attack weaknesses or vulnerabilities during the testing phase, so that they can be fixed prior to release.
• Regression testing- Every new release of Red Hat software and services is run through a series of tests to confirm that previous functionality still works as it should and that no new security vulnerabilities have been introduced in the updates.
• Security Architecture Review (SAR)- To support the implementation of planned and expected security controls, Red Hat conducts a full Security Architecture Review (SAR) of the software or service's security posture prior to release.

The release phase provides information on Red Hat’s software security measures.

• Attestation - Red Hat provides Attestations for its software, demonstrating that Red Hat is following a Secure Development Lifecycle (SDL) process and that our software meets Secure Software Development Framework (SSDF) requirements.
• Certifications / FedRamp - To help agencies minimize risk while also empowering them to scale cloud-native innovation, Red Hat achieves commercial and industry-specific certifications and authorizations, including FedRAMP.
• CSAF-VEX- Red Hat uses open data formats such as OVAL, CSAF, and SPDX. This allows us to support our customers and partners with a long-term strategy, including vulnerability (VEX) and SBOM content.
• Malware scans- Malware detection is integrated into the Red Hat productization pipeline, as well as in our software and services release mechanism, helping to confirm that the artifacts shipped to our customers are malware free.
• Secure delivery - Content signing validates that the software content you received is what was intended to be provided is critical, and that the content is authentic and not tampered with:

• Private keys are stored in hardware with limited direct access
• Explicit access and authorization controls are used for every signature
• All software is signed; RPMs auto-validated prior to installation

• Software Bill of Materials (SBOM) - Red Hat's Software Bill of Materials (SBOMs) provides clear manifest and attestation information. The Red Hat portfolio can consistently build and deliver a software bill of material (SBOM) for each software or service using our consolidated component registry.

The maintenance phase provides information about the various measures and resources Red Hat uses to report, collaborate, investigate, and manage vulnerability responses to Red Hat products.

• CISA reports - CISA provides Cyber Threats and Advisories that “offers the latest cybersecurity news, advisories, alerts, tools, and resources.”
• Common Vulnerabilities and Exposures (CVE) pages- Red Hat maintains a CVE database for each CVE  that impacts Red Hat software. CVE pages in the database contain detailed vulnerability information and metrics, as well as release information for updated components.
• Industry collaboration with Mitre- MITRE  is a US-based, not-for-profit organization that develops various security and safety standards. Red Hat collaborates with MITRE in Industry Working Groups (CVE, CWE, CAPEC) to support security standards being openly developed and freely applied and used by the community.
• Logging, monitoring, scanning- Infrastructure and tooling used to build our products have logging enabled and are monitored and scanned for malicious activity.
• Root CNA - Red Hat has operated as a CVE Numbering Authority (CNA) for over 20 years, assigning new CVE IDs to new vulnerabilities. As a Root CNA, Red Hat has increased its involvement and commitment to the security community.
• Security data - Red Hat Product Security is committed to providing tools and security data  to help security measurement.
• Vulnerability/weaknesses management - The Product Security team provides a quick turnaround to incoming vulnerabilities with tailored responses to RH products. Red Hat provides security-specific errata to clearly communicate to customers which updates contain security-related fixes. This enables customers to better understand and prioritize the updates that they consume. Red Hat provides customers with the insight into which versions of our software they need to be running and supports the transparency of security flaw fixes.