with Trusted Application Pipeline Automate Security on OpenShift Kevin Dubois Senior Principal Developer Advocate Red Hat 1

@kevindubois Kevin Dubois ★ Sr. Principal Developer Advocate at Red Hat ★ Based in Belgium 󰎐 ★ 🗣 Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) ★ Java Champion youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com @[email protected]

The application Push to give energy windmill 1.Sends click Kafka Topic 2.Sends the interaction 3. Updates the UI Dashboard: Green Energy Nickname Team Push to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

4 V1 Scan to play!

5

6 Increased regulations, frameworks, directives SEC Cybersecurity Rule 1 requires more governance and management regarding material cybersecurity risks, incidents. White House Cyber Executive Order 14028 European Union Cyber Resilience Act Government Cybersecurity Regulations NSA Cybersecurity Collaboration Center (CCC) National Institute of Standards and Technology (NIST) Cybersecurity and Infrastructure Security Agency (CISA) European Union Agency for Cybersecurity (ENISA) Cybersecurity Agency Frameworks and Directives [1] SEC Final Rule - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Safeguard build systems early 7 Secure the use of source code and transitive dependencies Software supply chain security considerations for the software development lifecycle Prevent & identify malicious code Continuously monitor security at runtime

Code Build Monitor Deploy A generic development process Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Container registry Pipeline Pipeline 8

Code Build Monitor Deploy A security-augmented development process Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Pipeline Pipeline Red Hat Dependency Analytics Red Hat Trusted Content gitsign verify Red Hat OpenShift cosign sign image generate SBOM Red Hat Trusted Profile Analyzer Generates and signs build pipeline provenance, attestation Verify SLSA compliance Continuous security scans of stored images Red Hat Advanced Cluster Security w/ gitsign Red Hat OpenShift GitOps 9

DEMO

Push to give energy windmill Kafka Topic 2.Sends the interaction Dashboard: Green Energy Nickname Team SHAKE! to generate energy Cars that need energy Two teams competing (top 5 players) First team wins @kevindubois @alexsotob

Quarkus Apache Kafka Infinispan OpenShift GitOps

Shaking Time :)

V2 Scan the QR Code with your phone to play

Shift Security Left in the Software Supply Chain Protect the components, processes and practices early in your software factory Trust, transparency in code management with integrated templates, guardrails for security-focused pipelines *Note: Red Hat Trusted Application Pipeline is a single product SKU that includes RHDH, RHTAS, RHTPA. + + NEW! NEW! NEW! = 15 developers.redhat.com/products/trusted-software-supply-chain/overview

Get started Sign up at developers.redhat.com Find out more about Red Hat’s project and products, and what it offers developers 16

Thank you! @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois slides

linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat 18 Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you