Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-678

RH-SDL Compliance

XMLWordPrintable

    • False
    • None
    • False
    • 33% To Do, 11% In Progress, 56% Done
    • 2,000
    • 1
    • 100% (High)
    • 6
    • 333.33

      Red Hat is a trusted open-source software vendor chosen as part of our customers' supply chain. This trust has to be earned and demonstrated through the secure development and incident response for our products and services.

      As a provider, Red Hat must fulfill both external regulatory standards and customer expectations. In line with evolving regulations across key markets, including the US, we are obliged to comply with these requirements. Non-compliance, for instance with mandates such as the 2021 US Executive Order 14028, can directly impact our revenue from federal engagements and FedRAMP investments.

      The Red Hat Secure Development Lifecycle (RH-SDL) implementation plan provides clear and actionable tasks and workflows to implement security controls that Red Hat Engineering adopts during the lifecycle to improve its security posture. For that, Secure Software Management Lifecycle (SSML), which is directly aligned with NIST SSDF and NIST 800-53 will be used for guidance. This approach will encompass specific secure development practices such as threat modeling, secure architecture, static code analysis, etc. The end goal is to continue providing secure, reliable, and compliant products to our customers.

      Individual SSML standards are still underlying the SDL effort, but not all standards need to met in order to be compliant with each Readiness Tier. By completing the work defined in CCXDEV-11480, CCX will be compliant with SSML Readiness Tier 2.

      Additional resources:

      Preliminary plan:

      • 2023Q3 - Red Hat Secure Development Training
      • 2023Q4 - DAST (Dynamic Application Security Testing)
      • 2024Q1 - SAST (Static Application Security Testing)
      • 2024Q2 - Malware Detection

      Goal:

      Certify CCX to RH-SDL Readiness Tier 2 defined by ProdSec.

      Tracker for our progress: https://product-security.pages.redhat.com/offering-registry/sdl

      Documentation: https://docs.google.com/document/d/1QMrM5ac2sbecmy7lYHA8S6p8L8ivVwHlgdcspy-Z4VE/edit

      Runbook (processes for individual sections): https://docs.google.com/document/d/1WCaz3sI5Jxv5FAViXht5fZPrbEOYH6aOQ8wMxFad2uk/edit

      Repository: https://gitlab.cee.redhat.com/product-security/offering-registry-reports/connected-customer-experience/-/tree/main

       

            tdosek@redhat.com Tomas Dosek
            tdosek@redhat.com Tomas Dosek
            Iker Reyes Iker Reyes
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: