redhat.com
facebook.com/redhatinc
@RedHat
linkedin.com/company/red-hat
Benefits of DevSecOps
• Fast development
With short feedback loops,
product managers and
developers find out sooner
if they are off course so that
they can swiftly
make corrections.
• More security by default
Fully automated risk
characterization,
mitigation, and monitoring
across the application life
cycle help decrease risk.
• Operational excellence
Software is built on a
foundation of resilience,
including trusted code
repositories and site reliability
engineering (SRE).
Deploy at the speed of operations
Mission and user needs change frequently—and sometimes suddenly. Deploying new software at
the “speed of operations” requires trust that the software is compliant, high-quality, more secure by
default, and observable.
Practices like test driven development (TDD) and continuous integration/continuous delivery (CI/
CD) promote a DevSecOps culture and build trust. But introducing these practices is one thing
and enforcing them is another. Imagine that a development team leader implements an end-of-day
process for team members to check in code, test, send the test report to management, and deploy
code to a shared environment if the test succeeds. What if a team member checks in and deploys
code, skipping the steps in between? Even when teams have the best intentions, making sure they do
the right things is difficult without development guardrails.
A trusted software supply chain (TSSC) provides those guardrails by accelerating and enforcing the
right behaviors (see sidebar).
The value of a trusted software supply chain
Software teams, business leaders, and users can trust that software produced by a TSSC meets the
agency’s standards for:
• Security. Applications do not act maliciously and have defenses to protect them from
malicious actors.
• Compliance. Applications adhere to required controls.
• Privacy. Applications protect sensitive information that should not be shared.
• Transparency. Applications produce metadata—for example, about health and security posture—
so that software behavior is observable and verifiable.
Trust that software complies with your agency’s security, compliance, privacy, and transparency
standards can also accelerate issuance of authority to operate (ATO) by discouraging behaviors that
can slow the process.
Elements of the trusted software supply chain
Powered by Red Hat® OpenShift® Container Platform, a TSSC brings together trusted third-party
tools and prescriptive workflows for best practices such as TDD and CI/CD. The TSSC enforces best
practices—for example, by not allowing code into production before it has been validated with static
code analysis and security scanning tools. It also makes the right action easy—for example, by
requiring developers to pull components (containers, libraries, binaries) from a trusted code
repository. By enforcing best practices with opinionated gates and other controls, a TSSC provides
a high degree of confidence in code deployments. This helps operations teams adopt efficiency-
boosting SRE practices.
Brief
Trusted software supply chain
Accelerate and enforce the right behaviors
