This workshop explores the integration of security into development and deployment practices using multiple open source technologies. It emphasizes the importance of 'shifting left'- embedding security early in the development lifecycle - and offers hands-on activities to transition from non-secure to secure development pipelines. Participants will transform a non-secure development pipeline into a secure one, emphasizing the practical benefits of integrating security tools such as The Update Framework + Fulcio + Sigstore, Red Hat Advanced Cluster Security (ACS), and SonarQube into their Red Hat OpenShift workflows. Throughout this journey, participants will assume the roles of developers, quality assurance engineers, and security engineers, confronting challenges these personas typically face.

Technical Prerequisites

Participants need to bring their own laptop (the environment will be provisioned centrally, participants only need a browser and optionally a SSH connection)

Target Audience

• Enterprise or IT Architects
• Platform Engineers
• Security Experts, Quality Assurance Engineers
• Software Developer, DevOps Engineers

• Sigstore / Red Hat Trusted Artifact Signer (Umbrella open source project for Supply Chain Security)
  • CoSign for signing
  • Enterprise Contracts: Verification of (Supply Chain Security) policies
  • Rekor: Transparency log for auditing
  • Fulcio (Open Source CA for short lived certificates based on OpenID Connect)
• Backstage / Red Hat Developer Hub: Internal Developer Portal
• Guac, Trustification, Exhort, Syft / Red Hat Trusted Profile Analyser: Generating, analyzing and managing of Software Bill of Materials (SBOMs)
• Stackrox / Red Hat Advanced Cluster Security (ACS): Vulnerability Scanning and Security Posture Management
• Kubernetes / Red Hat Openshift: Container Application Platform

Questions? Please contact Red Hat EMEA at emeaevents@mail.events.redhat.com