Red Hat’s global impact on Linux security

Red Hat is built on open source, a global decentralized and transparent community of international engineers who put security at the forefront of technology. Red Hat Enterprise Linux (RHEL) is the trusted operating system (OS) used by more than 90% of Fortune 500 companies and customers in more than 174 countries. This trust is earned largely due to RHEL’s reliability and stability as well as Red Hat’s long history of actively contributing to open source projects.

There is one key factor that is often discounted with respect to the Linux OS, however, which is its reputation for having enhanced security over other operating systems. While this reputation is earned, not all Linux distributions are equal when it comes to security. Over the years, Red Hat has made significant investments to provide RHEL users with the appropriate capabilities to meet the strict global security requirements of their region and to take advantage of security best practices as efficiently as possible. In this article we’ll talk about some of these security investments and how they impact users in three key focus areas: research/roadmap, deployment/practice and post-sale security support.

Research and roadmap ****Compliance requirements differ around the world

With over 100 offices in more than 40 countries, the team at Red Hat understands that there are a multitude of compliance regulations that differ from country to country. A key part of the RHEL research and roadmap phase is looking at what requirements users are facing today as well as what new requirements they may face in the future.

For example, as more data moves to the cloud and AI becomes more prevalent and requires access to various data sets, new concerns around data sovereignty continue to pop up. With customers in multiple industries and countries, we understand the controls, governance and attestation requirements that many users face. If you want to know more about the specific regulations around the world, we maintain a webpage that breaks down the cybersecurity validations and certifications for our products and services in global markets, which will continue to evolve as new regulations are introduced.

Keeping an eye on the threat horizon

The product team is constantly looking far ahead to identify threats that could come in the future. Based on a practice first developed by the military, if members of the product team identify a future threat or issue, they produce a document called an SBAR which stands for Situation, Background, Assessment, Recommendation.

As the title implies, this document explains the situation about what the future threat is, what it means for our customers and the product, what the feasibility is to address and methods for doing so, followed by a recommendation for what steps Red Hat should take. True to the open source nature of the company, the SBAR is shared with everyone at Red Hat to collect additional information and collaborate on the most appropriate recommendation. As an example, based on an SBAR written years earlier, there was already an internal plan produced in April 2022 on how the product team would address the future challenge of post-quantum cryptography.

Secure development lifecycle (SDLC) practices

Software security needs to be baked into development from the start and Red Hat follows an approach that directly aligns with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (NIST SSDF SP-800-218) as well as Open Web Application Security Project (OWASP) guidance and various ISO standards. Every member of Red Hat product security not only understands the expectations around the Red Hat secure software management lifecycle (SSML), but is also well versed in following the plans and processes designed to support those practices. For more detail on the different aspects of the framework, have a look at the knowledgebase article written by our product security team.

More eyes equals lower risk

Many vendors participate in read-only open source, where they, and they alone, are the sole contributor to an open source project. There are tons of examples of this among start-ups and large tech companies alike. They use open source as a marketing funnel to garner technology adoption, but they do not respect it for its true power: innovation. These companies want you to use their open source software, but patches and contributions are not welcome – unless it’s documentation or user groups. They do not want your code. They have to have full control over the projects in order to make money off the commercial projects they have built from that open source.

At Red Hat, we believe the true power of open source lies in community-driven open source, where the code is built in a collaborative process with a global group of contributors. This solicits and selects the best and brightest ideas, while supporting the time-honored tradition that, as Linus Torvalds once said, “with enough eyes, all bugs are shallow.” When there is a healthy community of contributors, if one participant behaves poorly, any other participant can report that issue to the rest of the community. Everyone in the room is staring at everyone else in the room and watching. If the problem can’t be resolved, any participant can take a copy of the code and start their own competing version of the project.

From a security perspective, the open, transparent and collaborative nature of community-driven open source ultimately lowers the risk that malicious vulnerabilities end up in the code. When everyone is watching everyone else, and everyone has eyes on the code, it’s a lot harder to sneak in anything harmful, whether intentionally or accidentally.

**Deployment and practice****Start enhancing security at build time **

Red Hat incorporates multiple layers of security mechanisms within its products, including default security configurations, least privilege access controls and rigorous code reviews. One of the capabilities that users are often interested in is the ability to leverage security profiles that offer default configurations. In selecting a security baseline, administrators can leverage automation at build time to verify that the configuration meets compliance and security best practices. This increases efficiency and also lowers risk and the possibility of human error during what would otherwise be manual tasks performed after the build.

Pair security with efficiency

In 2024, Red Hat introduced image mode, a new deployment method for RHEL that delivers the platform as a container image. Image mode takes a container-native approach to building, deploying and managing the operating system, providing a single workflow to manage the entirety of an IT landscape—from the applications to the underlying operating system—with the same tools and techniques. What this means for security teams is that they can now use container security tools they’re already familiar with—from scanning and validation, to cryptography and attestation, to the base elements of the operating system—making their jobs far less complex.

Provide users with insights into security

With new threats emerging daily and demands on IT teams constantly increasing, Red Hat Insights was designed to help our customers to self-identify and report issues, prioritize risk based on the impact to business and even trigger the next action in your automation toolchain. Insights has security analytics tools to help you manage risk more effectively. You can scan your systems for Common Vulnerabilities and Exposures (CVEs), collect scan information and access remediation guidance from a single interface.

Insights also helps you to prioritize remediation actions based on the severity, risk type and impact of the change. It helps you be more proactive by auditing regulatory compliance with OpenSCAP policies, more easily correct non-compliant systems, and more easily generate compliance reports. Additionally, you can use Insights to rapidly detect active malware signatures in systems across your hybrid cloud environment.

Post-sale security support****Red Hat is a trusted global security partner

Security is a core focus for Red Hat and we work within and through industry-led coordinated responsible disclosure programs. We have a long history of participating in these organizations and working with global and national partners for security data sharing and collaboration.

As one of a small handful of organizations globally to hold a special role as a Common Vulnerabilities and Exposures (CVE) Root participant, Red Hat partners with CVE.org and their mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. In addition to the Root role, Red Hat is also a CVE Numbering Authority (CNA) which means we are authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records.

To our users, this means that by the time they are notified of a new CVE, they can take comfort in knowing that a team of security experts who are intrinsically familiar with RHEL were actively involved in the vulnerability assessment. When these vulnerabilities affected Red Hat products, the team was already undertaking an investigation into any necessary remediation steps.

Finally, in service to the open source communities we depend on and engage with, Red Hat is also a CNA of Last Resort, meaning we can assign CVEs and publish them for vulnerabilities affecting open source projects that are not covered by another CNA.

Transparency around security, vulnerabilities and remediation

While we are obviously focused on RHEL, when it comes to security, Red Hat actively shares security information and vulnerabilities publicly. Transparency is in our DNA, and part of the product security team’s vision is to provide quality information needed to mitigate security and privacy risks, as well as the access to do so.

This extends beyond just our customers – it extends to community collaboration for patches and mitigation strategies for all Linux users. As a community, it’s important to all of us that we work to maintain Linux’s reputation as one of the most secure operating systems in the world. As mentioned earlier, this extends to our code as well. Our code is open. Everyone is free to inspect, audit, review and contribute to our code.

We participate with peers and colleagues around the world in the development of open source security practices which provide a bedrock framework for global industry to adopt and build upon. This practice is not new, and over the last 30 years, the evidence is seen in our support of the creation of OpenSCAP, our membership in organizations such as OpenSSF and CoSAI and our contributions to OSV.dev.

Looking ahead to the next 30 years

While perhaps not thought of as a security company in the traditional sense, Red Hat has focused on security as both foundation and enabler for decades. The world is different today compared to what it was in 1993 when Marc Ewing first created the Linux distribution called Red Hat Linux. No one can clearly see what the next 30 years will look like, but we can be certain that we will continue to need a very strong focus on global security requirements.

We will continue:

• Researching and laying out the necessary roadmaps so our products meet the security needs of our customers around the world
• Designing our products in a way that makes applying security easier at build time to increase efficiencies while lowering risk
• Supporting our base and the global Linux community to remediate threats through our active participation in security-focused initiatives such as the CVE program

We are passionate about Linux and about protecting our community. We look forward to working with you on this mission.

Stay informed about open source security by subscribing to our blog feed.