Published on

Securing the Software Supply Chain (Cloud Next '18)

Securing the Software Supply Chain (Cloud Next '18)

Hello everybody, Welcome to our session today! I'm Sandra from Google Security, and this is Jonathan, the Security Architect from Shopify. Together, we'll be introducing you to the new container security product we just announced – Binary Authorization – and how it can secure your software selection.

Session Overview

In this session, I'll provide an overview of Binary Authorization and explain its relevance in production environments. Jonathan will then demonstrate the product live, showcasing how Shopify integrates it into their security practices. After these segments, we'll open the floor to questions and answers.

Introduction to Binary Authorization

One of the pressing questions DevOps and security stakeholders often face is, "What is running in our production environment, and how do we control it?" Enterprises operate thousands of services across diverse environments. Keeping a centralized, consistent control over this vast operational landscape can be challenging, especially with increasing incidents of data leaks and breaches originating from untrusted code running in trusted environments.

Organizations often focus on perfecting access control policies but overlook the importance of ensuring the actual code running in production is secure. This can lead to scenarios where legacy software, constantly updated or adjusted by multiple individuals, becomes a target for attackers or rogue employees who might introduce malicious code.

How Binary Authorization Enhances Security

Binary Authorization enhances security by ensuring only properly signed containers are deployed to Kubernetes Engine, thus reintroducing the control over the software supply chain. Unlike traditional account-based deployment controls, Binary Authorization focuses on code-based deployment controls.

Key Features

  1. Policy Definition: Define policies at runtime, environment level. Different rules for production vs. development environments can be established.

  2. Centralized Metadata: Integrates with Google Container Registry's container analysis API to aggregate all metadata related to a container, which stakeholders can then query as needed.

  3. Attestation Checks: Integrates attestation checks directly into the deployment process, ensuring containers are signed at each stage of the CI/CD pipeline.

  4. Third-Party Image Whitelisting: Enables whitelisting of third-party images, ensuring only approved versions run in production.

  5. Break Glass Functionality: Allows exceptions during emergencies while logging incidents for later review.

How It Works

Binary Authorization leverages metadata created during the CI/CD pipeline:

  • Code passes through various stages: build, unit tests, vulnerability scans, static analysis, and quality control.
  • Each stage generates a signature.

During deployment, Binary Authorization checks these signatures against pre-defined policies. If a deployment attempt lacks the required signatures, it's rejected.

Integration with Existing Tools

For broader compatibility, Binary Authorization integrates with CI/CD tools like Jenkins and security tools like Twistlock. It provides open-source tools like Grafeas (metadata storage) and Kritis (on-prem deployment enforcement) for cohesive on-prem and cloud environments.

Live Demo by Jonathan

Jonathan from Shopify demonstrated a live scenario using Binary Authorization to secure Shopify's production clusters. He illustrated how their infrastructure uses tools like Google Container Builder, GCR, and internally developed controllers.

In the demo, Jonathan showed:

  1. Writing Dockerfiles for "good" and "bad" images.
  2. Pushing these images to GCR.
  3. Using Binary Authorization policies to control deployment.
  4. Monitoring outcomes through CLI outputs as well as the Binary Authorization UI.

This demo highlighted how policies, attestation, and logging interplay to ensure only secure, compliant images deploy to production.

Conclusion

Binary Authorization offers a robust mechanism for enforcing code-based deployment controls, securing the software supply chain by integrating seamlessly with existing CI/CD pipelines and production environments. Its features enable organizations to maintain compliance, safeguard against malicious code, and enhance overall security posture.

Binary Authorization is currently in beta, accompanied by resources like code labs and open-source project references for deeper engagement.

Keywords:

  • Binary Authorization
  • CI/CD pipeline
  • Kubernetes Engine
  • Google Container Registry
  • Security
  • Attestation
  • Policy Definition
  • Third-Party Image Whitelisting
  • Grafeas
  • Kritis

FAQ:

Q1: What is Binary Authorization? A1: Binary Authorization is a Google security product that ensures only signed and verified containers are deployed to Kubernetes Engine, enhancing security by introducing code-based deployment controls.

Q2: How does Binary Authorization work with existing CI/CD pipelines? A2: Binary Authorization integrates with existing pipelines by requiring signatures at each stage of the build and deployment process. It checks these signatures against defined policies during deployment.

Q3: Can Binary Authorization be used with third-party images? A3: Yes, it includes a feature for whitelisting trusted third-party images, ensuring only approved versions are deployed in production.

Q4: What happens during an emergency deployment? A4: Binary Authorization allows a ‘break glass’ override for emergency scenarios, logging these events for subsequent review.

Q5: Is there support for on-prem deployments? A5: Yes, through the open-source tools Grafeas and Kritis, Binary Authorization can also be applied to on-prem environments.

Q6: Where can I learn more or get hands-on experience? A6: You can explore more during the live sessions and code labs at Google's events, or visit the open-source repositories for hands-on practice and contributions.

Read More