Cloud Security, Content

Google Cloud Offers Software Supply Chain Security

LONDON, ENGLAND – AUGUST 09:  In this photo illustration, an image of the Google logo is reflected on the eye of a young man on August 09, 2017 in London, England. Founded in 1995 by Sergey Brin and Larry Page, Google now makes hundreds of products used by billions of people across the globe, from YouTube and Android to Smartbox and Google Se...

Are there security risk points in your software supply chain? Well, remember, hackers continue to target MSPs and their software supply chains, the US Cybersecurity & Infrastructure Agency (CISA) advised in May 2022. (See related story)

Now, Google says it can help organizations address those risks, the company assets in its Google Cloud Developers & Practitioners blog.

Google Shares its Tools of the Trade

Google is now sharing its own software supply chain security practices externally — so we all can benefit.

Google secures its own software supply chain through:

The same practices hold true for external parties, Google says. As such, securing your software supply chain involves defining, checking, and enforcing attestations across the software lifecycle.

How Google Cloud Helps Secure a Software Supply Chain

Securing your software supply chain involves defining, checking and enforcing attestations across the software lifecycle. To follow are the tools and services Google offers for software supply chain protection.

Binary Authorization

Google’s Binary Authorization service is a key element in software supply chain security, which establishes, verifies and maintains a chain of trust via attestations and policy checks. Essentially, cryptographic signatures are generated as code or other artifacts move toward production. Before deployment, the attestations are checked based on policies.

Open Source Insights

Open source is heavily used in software. It can be challenging to determine the risk of open source dependencies. Google recently launched Open Source Insights to help address this challenge,

Open Source Insights is an interactive visualization site for exploring open source software packages. It is unique, says Google, in that it provides a transitive dependency graph, with continuously updated security advisory, license and other data across multiple languages in one place.

In conjunction with open source scorecards, which provide a risk score for open source projects, developers can use Open Source Insights to make better choices across millions of open source packages.

Cloud Build

Once your code is checked in, it is built by Cloud Build, Google says. Examples include what tests were run, the build tools and processes used, and more. Cloud Build helps with achieving a SLSA level 1, which denotes the level of security of your software supply chain.

As a fully managed cloud service, Cloud Build enables a locked-down environment for securing builds, greatly reducing the risk of compromised build integrity or a compromised build system, Google says. And Cloud Build Private Pools adds support for VPC-SC and private IPs.

Test and Scan

Once the build is complete, it is stored in the Artifact Registry where it is automatically scanned for vulnerabilities, Google says. This generates additional metadata, including an attestation for whether an artifact’s vulnerability results meet certain security thresholds. This information is stored in Google’s container analysis service, which structures and organizes an artifact’s metadata, making it readily accessible to services like Binary Authorization.

Deploy and Run

Having built, stored and scanned the images securely, attestations captured along the supply chain are verified for authenticity by Binary Authorization. Binary Authorization is available for GKE and Cloud Run (preview), ensuring only properly reviewed and authorized code is deployed.

Binary Authorization also supports continuous validation, which ensures continued conformance to the defined policy, even post-deployment.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.