This document in the Google Cloud Architecture Framework provides best practices for deploying applications securely.
To deploy secure applications, you must have a well-defined software development lifecycle, with appropriate security checks during the design, development, testing, and deployment stages. When you design an application, we recommend a layered system architecture that uses standardized frameworks for identity, authorization, and access control.
Automate secure releases
Without automated tools, it can be hard to deploy, update, and patch complex application environments to meet consistent security requirements. Therefore, we recommend that you build a CI/CD pipeline for these tasks, which can solve many of these issues. Automated pipelines remove manual errors, provide standardized development feedback loops, and enable fast product iterations. For example, Cloud Build private pools let you deploy a highly secure, managed CI/CD pipeline for highly regulated industries, including finance and healthcare.
You can use automation to scan for security vulnerabilities when artifacts are created. You can also define policies for different environments (development, test, production, and so on) so that only verified artifacts are deployed.
Ensure that application deployments follow approved processes
If an attacker compromises your CI/CD pipeline, your entire stack can be affected. To help secure the pipeline, you should enforce an established approval process before you deploy the code into production.
If you plan to use Google Kubernetes Engine (GKE) or Anthos, you can establish these checks and balances by using Binary Authorization. Binary Authorization attaches configurable signatures to container images. These signatures (also called attestations) help to validate the image. At deployment, Binary Authorization uses these attestations to determine that a process was completed earlier. For example, you can use Binary Authorization to do the following:
- Verify that a specific build system or continuous integration (CI) pipeline created a container image.
- Validate that a container image is compliant with a vulnerability signing policy.
- Verify that a container image passes criteria for promotion to the next deployment environment, such as from development to QA.
Scan for known vulnerabilities before deployment
We recommend that you use automated tools that can continuously perform vulnerability scans on container images before the containers are deployed to production.
Use Container Analysis to automatically scan for vulnerabilities for containers that are stored in Artifact Registry and Container Registry. This process includes two tasks: scanning and continuous analysis.
To start, Container Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. The scan extracts information about the system packages in the container.
Container Analysis then looks for vulnerabilities when you upload the image. After the initial scan, Container Analysis continuously monitors the metadata of scanned images in Artifact Registry and Container Registry for new vulnerabilities. When Container Analysis receives new and updated vulnerability information from vulnerability sources, it does the following:
- Updates the metadata of the scanned images to keep them up to date.
- Creates new vulnerability occurrences for new notes.
- Deletes vulnerability occurrences that are no longer valid.
Monitor your application code for known vulnerabilities
It's a best practice to use automated tools that can constantly monitor your application code for known vulnerabilities such as the OWASP Top 10. For a description of Google Cloud products and features that support OWASP Top 10 mitigation techniques, see OWASP Top 10 mitigation options on Google Cloud.
Use Web Security Scanner to help identify security vulnerabilities in your App Engine, Compute Engine, and Google Kubernetes Engine web applications. The scanner crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. It can automatically scan for and detect common vulnerabilities, including cross-site scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated or insecure libraries. Web Security Scanner gives you early identification of these types of vulnerabilities with low false positive rates.
Control movement of data across perimeters
To control the movement of data across a perimeter, you can configure security perimeters around the resources of your Google-managed services. Use VPC Service Controls to place all components and services in your CI/CD pipeline (for example, Container Registry, Artifact Registry, Container Analysis, and Binary Authorization) inside a security perimeter.
VPC Service Controls improves your ability to mitigate the risk of unauthorized copying or transfer of data (data exfiltration) from Google-managed services. With VPC Service Controls, you configure security perimeters around the resources of your Google-managed services to control the movement of data across the perimeter boundary. When a service perimeter is enforced, requests that violate the perimeter policy are denied, such as requests that are made to protected services from outside a perimeter. When a service is protected by an enforced perimeter, VPC Service Controls ensures the following:
- A service can't transmit data out of the perimeter. Protected services function as normal inside the perimeter, but can't send resources and data out of the perimeter. This restriction helps prevent malicious insiders who might have access to projects in the perimeter from exfiltrating data.
- Requests that come from outside the perimeter to the protected service are honored only if the requests meet the criteria of access levels that are assigned to the perimeter.
- A service can be made accessible to projects in other perimeters using perimeter bridges.
Encrypt your container images
In Google Cloud, you can encrypt your container images using customer-managed encryption keys (CMEK). CMEK keys are managed in Cloud Key Management Service (Cloud KMS). When you use CMEK, you can temporarily or permanently disable access to an encrypted container image by disabling or destroying the key.
Learn more about securing your supply chain and application security with the following resources:
- Manage compliance obligations (next document in this series)
- Operational excellence
- Binary Authorization
- Container Analysis
- Artifact Registry