At the Google Cloud Next conference, Google announced various services that help developers and operators secure the entire software supply chain. It added additional layers of security to existing services such as Artifact Registry, Cloud Build, Cloud Deploy, GKE, and Cloud Run. It also launched new services that help enterprises adopt a “shift left” approach by enforcing security during development.
Security
What is Software Supply Chain?
The term software supply chain refers to the systems and processes used to deploy software in production environments. It spans everything from the code developers write, the 3rd party software and libraries they consume, the integration process, and the deployment.
With many moving parts, the software development and deployment pipeline or the software supply chain are exposed to multiple threats that may compromise the integrity of the application. It’s important to ensure that each and every phase of the supply chain is protected based on a set of well-defined security principles.
A typical software supply chain consists of four phases:
- Code
- Build
- Store
- Deploy
Software Supply Chain
The code phase refers to the developers writing code and committing the changes to a code repository. The next phase involves testing the code, assembling the dependencies and building the final set of artifacts, such as container images. This phase is often called the continuous integration process. The artifacts are then versioned and pushed into an artifact storage repository that is accessible to the production environment. Finally, these artifacts are deployed to the production environment through a continuous delivery pipeline.
Each of the phases described above may have multiple attack vectors that may compromise the security and integrity of software.
Vulnerabilities of CI/CD Pipeline
Google’s Approach to Securing the Software Supply Chain
With Software Delivery Shield, Google delivers an end-to-end software supply chain based on the proven best practices used by Google developers internally.
The newly launched Cloud Workstations service provides on-demand development environments based on mainstream IDEs such as Code-OSS, IntelliJ IDEA, PyCharm, Rider, and CLion via JetBrains Gateway. Based on containers, Cloud Workstations are readily available for developers to write and build code. Enterprise teams can build their own containers embedding the IDEs to apply the policies consistently and launch them within private VPCs. They can also ensure all developers get the latest versions and patches when they start working by setting a session limit and simply updating the container images. Cloud Workstations stay current and updated according to the container image specified by enterprise IT. Google Cloud Code IDE plugins that work with mainstream IDEs now support real-time vulnerability detection. They also support scanning transitive dependencies of the code.
Cloud Workstation
In the next phase of continuous integration leading to the build process, Google launched a program called Assured Open Source Software that ensures the same trusted open source software (OSS) packages that Google uses for the developer workflows. Developers can choose from over 250 curated Java and Python packages. Cloud Build, the continuous integration service available within Google Cloud, supports SLSA-compliant builds. In collaboration with the Open Source Security Foundation (OpenSSF), Google has proposed Supply-chain Levels for Software Artifacts (SLSA). The new SLSA framework formalizes software supply chain integrity criteria to help the industry and open-source ecosystem secure the software development lifecycle.
According to Google, with Software Delivery Shield, DevOps teams can store, manage and secure the build artifacts in the Artifact Registry and also proactively detect vulnerabilities with the integrated scanning provided by Container Analysis. In addition to scanning the base images, the service can now do on-push vulnerability scanning of Maven and Go containers, as well as for non-containerized Maven packages, which is currently in Preview.
Finally, the target runtimes to which the code is deployed – Google Kubernetes Engine (GKE) and Google Cloud Run – provide continuous runtime vulnerability and workload configuration scanning. Cloud Run, the serverless runtime for containers, offers insights into security target levels, service vulnerabilities, and build provenance.
Binary Authorization is another feature that is a deploy-time security control to ensure only trusted container images are deployed on GKE or Cloud Run. With Binary Authorization, DevOps or security teams can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying.
Software Delivery Shield
Software Delivery Shield is a valuable service to developers, operators and SRE teams that are building, deploying, and managing applications on Google Cloud. It’s one of the first cloud-based managed services to secure the end-to-end software supply chain.
