Published on

How to secure your software supply chain from dependencies to deployment

Introduction

Introduction

Welcome back, everyone! We're continuing our critical discussions on security for developers. In this article, we will dive into a crucial topic: how to secure your software supply chain. This will be presented by Christoph Grotz, a strategic cloud engineer hailing from the beautiful German side of Lake Constance.

Importance of Software Supply Chain Security

Today, let's discuss why software supply chain security is a hot topic. Your applications usually consist of two main components: the source code your organization writes and the dependencies you consume from third parties (which could be open-source or commercial products). The build process takes these code and dependencies to package software, which can either be used internally or consumed by others.

Current Landscape

Recently, we have observed a surge in software supply chain attacks, increasing by 650% year on year, according to Sonatype. Gartner estimates that by 2025, nearly half of the world’s software organizations will have faced such attacks. The major vulnerability here is the wide range of source software with unknown contributors.

Google's Solution: Software Delivery Shield

Google Cloud has introduced 'Software Delivery Shield' to mitigate these risks. It’s a holistic, modular solution that spans from development to runtime. This system is built on Google’s internal best practices and can integrate with your existing tools.

Features of Software Delivery Shield

  1. Cloud Workstations: It provides fully managed development environments in the cloud, supporting popular IDEs like VS Code and IntelliJ.

  2. Source Protect: This feature shifts dependency vulnerability and license awareness left into the IDE, thus increasing productivity by providing faster feedback.

  3. Artifact Registry: Offers insights, simplifies dependency governance, and reduces attack vectors.

  4. Cloud Build: Supports out-of-the-box Salsa Level 3 builds and provides authenticated and non-falsifiable build provenance.

  5. Runtime Security: Includes features like security posture management in GKE (Google Kubernetes Engine) and Cloud Run, which continuously scan for vulnerabilities and configuration issues.

  6. Binary Authorization: Makes security policies actionable by verifying each step of the security process before deployment.

Demonstration

Let’s go through a step-by-step demo showcasing how these features come together:

Cloud Workstations

Cloud Workstations offer various features, such as private access settings, VPC service controls, and automatic image updates to ensure that developers are working in the most secure environment.

Source Protect

This feature alerts you of any security vulnerabilities or license issues directly within your IDE, making it easier to resolve these issues early in the development lifecycle.

Artifact Registry

Here, we can see the list of our dependencies and identify any vulnerabilities in both direct and transitive dependencies.

Cloud Build

Cloud Build not only constructs the container but also provides a security insights panel that offers an in-depth look into the build's software bill of materials (SBOM), vulnerabilities, and build provenance.

Runtime Security

GKE Security Posture Management and Cloud Run can alert you to vulnerabilities and configuration issues in your runtime environment.

Binary Authorization

This feature ensures that only trusted, properly attested images can be deployed, adding an additional layer of security to your runtime environments.

Conclusion

All of these features are available in preview and can be explored through various quick start tutorials available on Google Cloud’s website. They collectively offer a comprehensive approach to securing your software supply chain, from development to deployment.

Keywords

  • Software Supply Chain Security
  • Google Cloud
  • Software Delivery Shield
  • Cloud Workstations
  • Source Protect
  • Artifact Registry
  • Cloud Build
  • Binary Authorization
  • GKE
  • Cloud Run

FAQ

Q1: What is Software Delivery Shield?
A1: Software Delivery Shield is a holistic, modular solution from Google Cloud that integrates security measures from development all the way to runtime.

Q2: What are Cloud Workstations?
A2: These are fully managed development environments in the cloud that support popular IDEs like VS Code and IntelliJ, with various security configurations.

Q3: How does Source Protect help in security?
A3: Source Protect shifts dependency vulnerability and license awareness left into the IDE, providing faster feedback and increasing developer productivity.

Q4: What is the purpose of Binary Authorization?
A4: Binary Authorization ensures that only trusted and properly attested images can be deployed in the runtime environments.

Q5: How is Artifact Registry beneficial for software security?
A5: Artifact Registry provides insights into dependencies, simplifying dependency governance and reducing attack vectors.

Read More