In today’s enterprise-computing environment, it’s quite easy to exploit data? In fact, implementing security-conscious software is a battle every company faces. 

These risks are labeled as “watering hole” attacks, a cyber-assault aimed at a specific organization, according to Vincent Danen (pictured), vice president of product security at Red Hat Inc., who said that Red Hat is entering the software supply chain business. This began as an attempt to satisfy its own curiosity before productizing solutions to clients. 

“We wanted something that was useful for us but consistent across the board, because it makes it easier for us to support customers who are largely doing the same thing,” Danen said.

Red Hat created its own product, called Sigtore, that can be used to authenticate the source when building software. Sigstore is “broader in that anybody can use it for their own software development, for their own validation, so when it comes to something like the trusted application pipeline, using Sigstore in there means that you don’t have to stand up your own hardware signing module,” Danen explained. 

Danen spoke with theCUBE industry analysts Paul Gillin and Rob Strechay at Red Hat Summit, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed Red Hat’s addressing the strong demand for more secure offerings. (* Disclosure below.)

Both sides of the coin

With a large corporation like Red Hat, its resource availability outnumbers most. When it gets down to the small business-owner level, on who will fix the vulnerability, test it and ship to the customer, it can be quite expensive to do it yourself, Danen pointed out. 

Red Hat also is productizing software bill of materials, which can assist partners in addressing vulnerabilities.

“You’ll be able to see what version, what license, what components and all of those things are there, which is crucial to understand,” Danen said. “If there is a vulnerability, I need to know where it is.” 

With this discovery mechanism, it does not allow you to mitigate the situation — or if vulnerabilities exist within any of those mechanisms as well. However, once aware of the vulnerability, then organizations can see there’s a vulnerability in a component and where it is in the environment. That’s the benefit of the SBOM — the discoverability part for the software, Danen explained. 

Regardless of whether the software is proprietary or open source, vulnerabilities can still exist, but open-source has the advantage, Danen added.

“There’s a vulnerability that they decide they’re not going to fix, you don’t know about it. You can’t compensate accordingly, right? It’s an unknown-unknown. At least with open source, it is a known-known vulnerability. Even if it’s not fixed, you can do something about it, which isn’t the same for proprietary,” he said.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Red Hat Summit:

(* Disclosure: Red Hat Inc. sponsored this segment of theCUBE. Neither Red Hat nor other sponsors have editorial control over the content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE