This principle in the security pillar of the Google Cloud Architecture Framework helps you identify practical controls that you can implement early in the software development lifecycle to improve your security posture. It provides recommendations that help you implement preventive security guardrails and post-deployment security controls.
Principle overview
Shift-left security means adopting security practices early in the software development lifecycle. This principle has the following goals:
- Avoid security defects before system changes are made. Implement preventive security guardrails and adopt practices such as infrastructure as code (IaC), policy as code, and security checks in the CI/CD pipeline. You can also use other platform-specific capabilities like Organization Policy Service and hardened GKE clusters in Google Cloud.
- Detect and fix security bugs early, fast, and reliably after any system changes are committed. Adopt practices like code reviews, post-deployment vulnerability scanning, and security testing.
The Implement security by design and shift-left security principles are related but they differ in scope. The security-by-design principle helps you to avoid fundamental design flaws that would require re-architecting the entire system. For example, a threat-modeling exercise reveals that the current design doesn't include an authorization policy, and all users would have the same level of access without it. Shift-left security helps you to avoid implementation defects (bugs and misconfigurations) before changes are applied, and it enables fast, reliable fixes after deployment.
Recommendations
To implement the shift-left security principle for your cloud workloads, consider the recommendations in the following sections:
- Adopt preventive security controls
- Automate provisioning and management of cloud resources
- Automate secure application releases
- Ensure that application deployments follow approved processes
- Scan for known vulnerabilities before application deployment
- Monitor your application code for known vulnerabilities
Adopt preventive security controls
This recommendation is relevant to the following focus areas:
- Identity and access management
- Cloud governance, risk, and compliance
Preventive security controls are crucial for maintaining a strong security posture in the cloud. These controls help you proactively mitigate risks. You can prevent misconfigurations and unauthorized access to resources, enable developers to work efficiently, and help ensure compliance with industry standards and internal policies.
Preventive security controls are more effective when they're implemented by using infrastructure as code (IaC). With IaC, preventive security controls can include more customized checks on the infrastructure code before changes are deployed. When combined with automation, preventive security controls can run as part of your CI/CD pipeline's automatic checks.
The following products and Google Cloud capabilities can help you implement preventive controls in your environment:
- Organization Policy Service constraints: configure predefined and custom constraints with centralized control.
- VPC Service Controls: create perimeters around your Google Cloud services.
- Identity and Access Management (IAM), Privileged Access Manager, and principal access boundary policies: restrict access to resources.
- Policy Controller and Open Policy Agent (OPA): enforce IaC constraints in your CI/CD pipeline and avoid cloud misconfigurations.
IAM lets you authorize who can act on specific resources based on permissions. For more information, see Access control for organization resources with IAM.
Organization Policy Service lets you set restrictions on resources to specify how they can be configured. For example, you can use an organization policy to do the following:
- Limit resource sharing based on domain.
- Limit the use of service accounts.
- Restrict the physical location of newly created resources.
In addition to using organizational policies, you can restrict access to resources by using the following methods:
- Tags with IAM: assign a tag to a set of resources and then set the access definition for the tag itself, rather than defining the access permissions on each resource.
- IAM Conditions: define conditional, attribute-based access control for resources.
- Defense in depth: use VPC Service Controls to further restrict access to resources.
For more information about resource management, see Decide a resource hierarchy for your Google Cloud landing zone.
Automate provisioning and management of cloud resources
This recommendation is relevant to the following focus areas:
- Application security
- Cloud governance, risk, and compliance
Automating the provisioning and management of cloud resources and workloads is more effective when you also adopt declarative IaC, as opposed to imperative scripting. IaC isn't a security tool or practice on its own, but it helps you to improve the security of your platform. Adopting IaC lets you create repeatable infrastructure and provides your operations team with a known good state. IaC also improves the efficiency of rollbacks, audit changes, and troubleshooting.
When combined with CI/CD pipelines and automation, IaC also gives you the ability to adopt practices such as policy as code with tools like OPA. You can audit infrastructure changes over time and run automatic checks on the infrastructure code before changes are deployed.
To automate the infrastructure deployment, you can use tools like Config Controller, Terraform, Jenkins, and Cloud Build. To help you build a secure application environment using IaC and automation, Google Cloud provides the enterprise foundations blueprint. This blueprint is Google's opinionated design that follows all of our recommended practices and configurations. The blueprint provides step-by-step instructions to configure and deploy your Google Cloud topology by using Terraform and Cloud Build.
You can modify the scripts of the enterprise foundations blueprint to configure an environment that follows Google recommendations and meets your own security requirements. You can further build on the blueprint with additional blueprints or design your own automation. The Google Cloud Architecture Center provides other blueprints that can be implemented on top of the enterprise foundations blueprint. The following are a few examples of these blueprints:
- Deploy an enterprise developer platform on Google Cloud
- Deploy a secured serverless architecture using Cloud Run
- Build and deploy generative AI and machine learning models in an enterprise
- Import data from Google Cloud into a secured BigQuery data warehouse
- Deploy network monitoring and telemetry capabilities in Google Cloud
Automate secure application releases
This recommendation is relevant to the following focus area: Application security.
Without automated tools, it can be difficult to deploy, update, and patch complex application environments to meet consistent security requirements. We recommend that you build automated CI/CD pipelines for your software development lifecycle (SDLC). Automated CI/CD pipelines help you to remove manual errors, provide standardized development feedback loops, and enable efficient product iterations. Continuous delivery is one of the best practices that the DORA framework recommends.
Automating application releases by using CI/CD pipelines helps to improve your ability to detect and fix security bugs early, fast, and reliably. For example, you can scan for security vulnerabilities automatically when artifacts are created, narrow the scope of security reviews, and roll back to a known and safe version. You can also define policies for different environments (such as development, test, or production environments) so that only verified artifacts are deployed.
To help you automate application releases and embed security checks in your CI/CD pipeline, Google Cloud provides multiple tools including Cloud Build, Cloud Deploy, Web Security Scanner, and Binary Authorization.
To establish a process that verifies multiple security requirements in your SDLC, use the Supply-chain Levels for Software Artifacts (SLSA) framework, which has been defined by Google. SLSA requires security checks for source code, build process, and code provenance. Many of these requirements can be included in an automated CI/CD pipeline. To understand how Google applies these practices internally, see Google Cloud's approach to change.
Ensure that application deployments follow approved processes
This recommendation is relevant to the following focus area: Application security.
If an attacker compromises your CI/CD pipeline, your entire application stack can be affected. To help secure the pipeline, you should enforce an established approval process before you deploy the code into production.
If you use Google Kubernetes Engine (GKE), GKE Enterprise, or Cloud Run, you can establish an approval process by using Binary Authorization. Binary Authorization attaches configurable signatures to container images. These signatures (also called attestations) help to validate the image. At deployment time, Binary Authorization uses these attestations to determine whether a process was completed. For example, you can use Binary Authorization to do the following:
- Verify that a specific build system or CI pipeline created a container image.
- Validate that a container image is compliant with a vulnerability signing policy.
- Verify that a container image passes the criteria for promotion to the next deployment environment, such as from development to QA.
By using Binary Authorization, you can enforce that only trusted code runs on your target platforms.
Scan for known vulnerabilities before application deployment
This recommendation is relevant to the following focus area: Application security.
We recommend that you use automated tools that can continuously perform vulnerability scans on application artifacts before they're deployed to production.
For containerized applications, use Artifact Analysis to automatically run vulnerability scans for container images. Artifact Analysis scans new images when they're uploaded to Artifact Registry. The scan extracts information about the system packages in the container. After the initial scan, Artifact Analysis continuously monitors the metadata of scanned images in Artifact Registry for new vulnerabilities. When Artifact Analysis receives new and updated vulnerability information from vulnerability sources, it does the following:
- Updates the metadata of the scanned images to keep them up to date.
- Creates new vulnerability occurrences for new notes.
- Deletes vulnerability occurrences that are no longer valid.
Monitor your application code for known vulnerabilities
This recommendation is relevant to the following focus area: Application security.
Use automated tools to constantly monitor your application code for known vulnerabilities such as the OWASP Top 10. For more information about Google Cloud products and features that support OWASP Top 10 mitigation techniques, see OWASP Top 10 mitigation options on Google Cloud.
Use Web Security Scanner to help identify security vulnerabilities in your App Engine, Compute Engine, and GKE web applications. The scanner crawls your application, follows all of the links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. It can automatically scan for and detect common vulnerabilities, including cross-site scripting, code injection, mixed content, and outdated or insecure libraries. Web Security Scanner provides early identification of these types of vulnerabilities without distracting you with false positives.
In addition, if you use GKE Enterprise to manage fleets of Kubernetes clusters, the security posture dashboard shows opinionated, actionable recommendations to help improve your fleet's security posture.