Securing the Code: Red Hat's Comprehensive Strategies for Software Security
Introduction
Security stands as a paramount concern for both customers and users of computer systems, especially in light of recent attacks targeting software on critical systems. In response, Red Hat Product Security plays a crucial role in ensuring that Red Hat produces highly secure, quality software tailored to meet customers’ business needs. Red Hat’s Secure Development Lifecycle aligns with the security framework, NIST Secure Software Development Framework (NIST SSDF SP-800-218 v1.1).
Red Hat’s Secure Development Lifecycle is crafted with a suite of security controls that synchronize with the lifecycle of the Red Hat software portfolio. Various security processes are executed at different stages of software development. Controls, such as threat modeling, are implemented during the design phase, while others operate during and after the development process. Controls associated with testing, whether of the source code or the final binary product, are collectively referred to as security testing.
This structured testing encompasses automated testing, manual testing, evaluation of vulnerabilities from both internal sources and through penetration testing conducted by labs, and regression testing. Issues identified during scanning and testing are recorded in the appropriate defect-tracking systems. The product management team prioritizes these issues with guidance received from Red Hat Product Security.
How do our security testing practices integrate into the broader context of Red Hat’s secure development?
Numerous controls within the Red Hat Secure Development lifecycle align with security testing practices, serving the primary purpose of detecting and addressing vulnerabilities and weaknesses in Red Hat software before they are delivered to our customers. We will briefly look at some of these controls below.
Static Application Security Testing (SAST)
Static Application Security Testing, commonly referred to as SAST, involves scanning source code using automated tools for known insecure coding techniques and potential security vulnerabilities in the software.
The precision of a SAST tool is determined by its scope of analysis and the specific techniques used to identify vulnerabilities.
Different levels of analysis include:
- Function level: Examining sequences of instruction.
- File or class-level: Investigating an extensible program-code-template for object creation.
- Application level: Assessing a program or group of programs that interact.
Red Hat employs all these levels to conduct thorough scans of software within the Red Hat portfolio. SAST is an automated tool used to identify security vulnerabilities. However, it may sometimes generate false positives, which are diligently identified through manual analysis. Once any security issues are detected, they are addressed based on their severity and their overall impact on the software’s security.
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing, commonly referred to as DAST, involves the dynamic examination of executable code to uncover potential vulnerabilities. This process aims to identify vulnerabilities by employing widely used techniques to exploit software interaction points during runtime.
The DAST procedure initiates by probing an application or web service to discover API endpoints, considering them as potential attack surfaces. The scanning infrastructure dispatches known attack payloads and mutated parameters, observing the application’s behavior and recording its responses. The responses, along with any unusual behavior, are reported to pinpoint potentially vulnerable interfaces, classified by the attack type.
While DAST can seamlessly integrate into any release pipeline, Red Hat has taken it further by developing a tool specifically tailored to its software. RapiDAST focuses on effective OpenAPI scanning and is regularly used to scan Red Hat managed services, including console.redhat.com, api.openshift.com, and also other software distributed by Red Hat.
Penetration Testing
Penetration Testing is a method by which a trusted team of testers behaves as an attacker and attempts to compromise a predetermined target. The primary objective is to identify weaknesses and vulnerabilities proactively, ensuring they can be addressed before malicious attackers exploit the same issues.
The Red Hat Product Security Research team performs penetration testing against Red Hat Software, engaging in a series of core activities as part of the testing process:
- Pre-engagement Interactions: Initial interactions and planning sessions to define the scope and objectives of the penetration testing.
- Intelligence Gathering: Comprehensive gathering of information related to the target system or application to better understand its architecture and potential vulnerabilities.
- Vulnerability Analysis: In-depth analysis to identify and assess potential vulnerabilities within the target system or application.
- Exploitation: Controlled attempts to exploit identified vulnerabilities, mimicking real-world attack scenarios to understand the system's resilience.
- Post Exploitation: Evaluation of the consequences and impacts of successful exploits, including potential access to sensitive information or system compromise.
- Reporting: Documentation of findings, including identified vulnerabilities, the severity of each issue, and recommendations for remediation.
- Post-testing: Follow-up actions, discussions, and collaboration with stakeholders to verify that vulnerabilities are addressed and the overall security posture is improved.
Conclusion
Addressing software security is a complex problem, requiring various approaches to prevent vulnerabilities from entering the software throughout its lifecycle. At Red Hat, we adopted and now follow a comprehensive approach that employs all of the techniques elaborated in this article to enhance the quality of our software and safeguard our customers. We continuously evaluate their effectiveness and collaborate across the company to apply the best combination of techniques to build upon and enhance the security of our software.
© 2024 Red Hat, Inc.
Comments