Published on

Securing the software supply chain

Securing the Software Supply Chain

Hello everyone and welcome to securing the software supply chain. My name is Patrick Foshe, Senior Product Manager for Google Cloud. Today, my colleague Dustin Ingram and I will be discussing the key principles of software supply chain security and how you can put those principles into practice using Google Cloud.

Introduction

First, we will cover the security challenges presented by modern software development and DevOps systems. Then we will dive into key principles for securing your software deployment pipelines and how to implement them in your practice. We will wrap up with a live demo showing how Google Cloud tools can help you improve your security posture for software delivery.

The Changing Scope of Cyber Security

The scope of cyber security has changed dramatically over the last few years. It's no longer just about the network perimeter and patching vulnerable operating systems. Increasingly, the software delivery process itself has become a vector for attacks.

Attack Surfaces

The software delivery system provides multiple vectors for attackers, such as:

  • Exploitable code
  • Weaknesses in the CI/CD toolchain
  • Unpatched vulnerabilities in production

Not only can code introduce security risks, but the build system and deployment process can be circumvented. Artifacts can be modified in transit and go undetected if not verified at each step. Cases like SolarWinds, Microsoft Exchange, and Code Cove hacks highlight these vulnerable areas. Recently, a U.S. executive order has set a new high standard for SDLC security, accelerating the urgency for more rigorous, verifiable approaches.

Core Concepts for Better Security

Two core concepts for creating better security are starting from zero trust and shifting security practices to the left. For example, companies should authenticate each artifact before it's built or deployed and ensure code during the development stage is free from critical vulnerabilities.

Implementing Security Practices with Google Cloud

At each stage of the software supply chain, Google Cloud provides solutions to continually verify artifacts:

  • Cloud Build: To sign the build and create an attestation showing metadata like the build trigger and vulnerabilities.
  • Artifact Registry: To securely store immutable and auditable build artifacts and dependencies.
  • Binary Authorization: To define and enforce deployment policies based on container image metadata.

Continuous Verification

Continuous verification extends validation throughout the lifecycle, informing you if an updated policy is violated by an existing deployment and logging policy conformance without breaking production.

Live Demo by Dustin Ingram

Dustin Ingram demonstrated configuring and running a secure deployment pipeline using Google Cloud:

  1. Creating a Binary Authorization Attester: Verifies attestations digitally signed using a private cryptographic key.
  2. Editing the Binary Authorization Policy: Ensures only images with valid attestations are deployed.
  3. Adding to the CI/CD Pipeline: Added steps to cloudbuild.yaml for attestation creation.
  4. Testing Unauthorized Image: Demonstrated that unauthorized images are blocked.
  5. Using Break Glass: Showed how to bypass binary authorization in emergencies, with actions logged for review.

Conclusion

By leveraging these practices and Google Cloud tools, you can establish and maintain trust, improving security throughout your software pipeline while maintaining speed and quality.

Keywords

  • Cyber security
  • Zero trust
  • Shift left
  • CI/CD
  • Google Cloud
  • Cloud Build
  • Artifact Registry
  • Binary Authorization
  • Continuous Verification
  • Break Glass

FAQs

What are some key security vulnerabilities in modern software delivery systems?

Modern software delivery systems can be exploited through attack vectors such as exploitable code, weaknesses in the CI/CD toolchain, and unpatched vulnerabilities in production systems.

How does Google Cloud’s Artifact Registry enhance supply chain security?

Google Cloud's Artifact Registry securely stores build artifacts and dependencies, automatically scans for vulnerabilities, provides fine-grained access controls, and retains immutability to ensure downstream stability.

What is Binary Authorization in Google Cloud and why is it important?

Binary Authorization allows you to create and enforce deployment policies based on container image metadata, ensuring only trusted and verified images are deployed to your environment.

How does the "Break Glass" feature work in emergency situations?

"Break Glass" allows for bypassing binary authorization policies during emergencies, logging these events for review to ensure traceability and accountability.

How can continuous verification aid in maintaining secure software delivery?

Continuous verification allows for repeated policy validation throughout the lifecycle, ensuring that new or updated policies do not inadvertently break existing deployments while logging policy conformance for audit.

By implementing these principles and tools, you can create a robust and secure software supply chain that safeguards against modern threats while maintaining efficient and reliable deployment workflows.

Read More