At the Google Cloud Next conference, Google announced various new security measures that will help all software developers and operators prevent their software from going into the wrong hands. They added additional layers of security to existing services such as Artifact Registry, Stackdriver Logging Project, GKE, and Cloud Run. They also started a series of services aimed at enterprise-level development that help enforce security during the development process.
Software Supply Chain is a software development tool that streamlines the process of developing and building software.
Software supply chain refers to the systems and processes used to deploy software. It’s important to have a clear understanding of how everything is connected, so we’ve compiled some information on how different pieces of software come together in an efficient supply chain that maximizes profitability and security.
To ensure that the security of your software is at the highest standards possible, it’s important that each and every phase of the supply chain is protected against threats.
The typical software supply chain is composed of four phases:
In the light of my work, codes have been leading to a variety of elegant conclusions which is the main reason why I have not changed my stance in my years at this job.
Build
Find
Apply
It’s easy to keep track of the progress of your code with a continuous integration process. This process includes testing, assembling dependencies, and ultimately building the final set of artifacts. The artifacts are versioned and pushed into an artifact storage repository accessible by production. You’ll be able to deploy these new fresh commodities by using a continuous delivery pipeline.
Some of the phases described above may have multiple attack vectors which could compromise the security and integrity of software.
Google’s approach to securing the software supply chain is in response to numerous vulnerabilities found within in the software supply chain.
Software Delivery Shield is the industry’s first comprehensive software supply chain product with proven best practices used by Google developers.
Professional developers everywhere can now enjoy the convenience and flexibility of on-demand development environments without much hassle. The newly launched Cloud Workstations lives up to its promise of exceptional performance as it provides a simple and reliable method of containerized development. When you want your IT team to lower costs, increase speed, and improve security across the enterprise, Cloud Workstations is the application you should use.
In the next phase of continuous integration leading to the build process, Google launched a program called Assured Open Source Software that ensures the same trustworthy open source software packages that Google uses. These trusted packages are available in over 250 curated Java and Python versions. Cloud Build, which is available through Google Cloud, supports SLSA-compliant builds. With support from OpenSSF, Google has proposed Supply-chain Levels for Software Artifacts (SLSA). The new SLSA framework formalizes supply chain integrity criteria for the software development lifecycle to help individuals and the industry at large secure software development.
Software Delivery Shield can help teams to securely store and manage the build artifacts in the Artifact Registry. It also proactively detects vulnerabilities by integrating scanning into DevOps processes. And with updates like on-push scanning of Maven and Go containers, now available in Preview mode, this service is helping developers in many ways.
Google Kubernetes Engine and Google Cloud Run offer continuous runtime vulnerability and workload configuration scanning to help keep your website or application secure against malicious activity. Cloud Run, a serverless runtime for containers, is integrated with the Google Cloud Platform and offers insights into security target levels and service vulnerabilities.
With Binary Authorization, security teams can restrict what container images are deployed on GKE (Google Kubernetes Engine) or Cloud Run. This feature allows the DevOps team to require that all images be digitally signed by trusted authorities during development and then enforce signature validation when deploying generated images for their production environment.
Software Delivery Shield is a valuable service for developers, operators and SRE teams on Google Cloud. It’s one of the first cloud-based managed services to secure the end-to-end software supply chain.