Are there security risk points in your software supply chain? Well, remember, hackers continue to target MSPs and their software supply chains, the US Cybersecurity & Infrastructure Agency (CISA) advised in May 2022. (See related story)
Now, Google says it can help organizations address those risks, the company assets in its Google Cloud Developers & Practitioners blog.
Google Shares its Tools of the Trade
Google is now sharing its own software supply chain security practices externally — so we all can benefit.
Google secures its own software supply chain through:
The same practices hold true for external parties, Google says. As such, securing your software supply chain involves defining, checking, and enforcing attestations across the software lifecycle.
How Google Cloud Helps Secure a Software Supply Chain
Securing your software supply chain involves defining, checking and enforcing attestations across the software lifecycle. To follow are the tools and services Google offers for software supply chain protection.
Google’s Binary Authorization service is a key element in software supply chain security, which establishes, verifies and maintains a chain of trust via attestations and policy checks. Essentially, cryptographic signatures are generated as code or other artifacts move toward production. Before deployment, the attestations are checked based on policies.
Open Source Insights
Open source is heavily used in software. It can be challenging to determine the risk of open source dependencies. Google recently launched Open Source Insights to help address this challenge,
Open Source Insights is an interactive visualization site for exploring open source software packages. It is unique, says Google, in that it provides a transitive dependency graph, with continuously updated security advisory, license and other data across multiple languages in one place.
In conjunction with open source scorecards, which provide a risk score for open source projects, developers can use Open Source Insights to make better choices across millions of open source packages.
Once your code is checked in, it is built by Cloud Build, Google says. Examples include what tests were run, the build tools and processes used, and more. Cloud Build helps with achieving a SLSA level 1, which denotes the level of security of your software supply chain.
As a fully managed cloud service, Cloud Build enables a locked-down environment for securing builds, greatly reducing the risk of compromised build integrity or a compromised build system, Google says. And Cloud Build Private Pools adds support for VPC-SC and private IPs.
Test and Scan
Once the build is complete, it is stored in the Artifact Registry where it is automatically scanned for vulnerabilities, Google says. This generates additional metadata, including an attestation for whether an artifact’s vulnerability results meet certain security thresholds. This information is stored in Google’s container analysis service, which structures and organizes an artifact’s metadata, making it readily accessible to services like Binary Authorization.
Deploy and Run
Having built, stored and scanned the images securely, attestations captured along the supply chain are verified for authenticity by Binary Authorization. Binary Authorization is available for GKE and Cloud Run (preview), ensuring only properly reviewed and authorized code is deployed.
Binary Authorization also supports continuous validation, which ensures continued conformance to the defined policy, even post-deployment.