Software supply chain security

Google Cloud provides a comprehensive and modular set of capabilities and tools across Google Cloud products that your developers, DevOps, and security teams can use to improve the security posture of your software supply chain.

Software supply chains

A software supply chain consists of all the code, people, systems, and processes that contribute to development and delivery of your software, both inside and outside of your organization. It includes:

• Code you create, its dependencies, and the internal and external software you use to develop, build, package, install, and run your software.
• Processes and policies for system access, testing, review, monitoring and feedback, communication, and approval.
• Systems you trust to develop, build, store, and run your software and its dependencies.

Given the broad reach and complexity of software supply chains, there are numerous ways to introduce unauthorized changes to the software that you deliver to your users. These attack vectors span the software lifecycle. While some attacks are targeted, such as the attack on the SolarWinds build system, other threats are indirect or enter the supply chain through weaknesses in process or neglect.

For example, an assessment of the Apache Log4j vulnerability in December 2021 by the Google Open Source Insights team found that there were over 17,000 affected packages in Maven Central. Most of these packages did not depend directly on the vulnerable log4j-core package, but had dependencies that required the package.

Development practices and processes also impact software supply chains. Process gaps such as lack of code review or security criteria for deployment to production can allow bad code to unintentionally enter the supply chain. Similarly, lack of dependency management increases the risk of vulnerabilities from external source or software packages that you use for development, builds, or deployment.

Safeguard software supply chains on Google Cloud

Google Cloud provides:

• Products and features that incorporate security best practices for development, building, testing, deployment, and policy enforcement.
• Dashboards in the Google Cloud console that provide security information about source, builds, artifacts, deployments, and runtimes. This information includes vulnerabilities in build artifacts, build provenance, and Software Bill of Materials (SBOM) dependency lists.
• Information identifying the maturity level of your software supply chain security using the Supply chain Levels for Software Artifacts (SLSA) framework.

The following diagram shows Google Cloud services that work together to protect the software supply chain. You can integrate some or all of these components into your software supply chain to improve your security posture.

Protect the development environment

Cloud Workstations provides fully-managed development environments on Google Cloud. IT and security administrators can provision, scale, manage, and protect their development environments. Developers can access development environments with consistent configurations and customizable tooling.

Cloud Workstations shifts security left by enhancing the security posture of your application development environments. Security features include VPC Service Controls, private ingress or egress, forced image update, and Identity and Access Management access policies. Cloud Workstations provides additional data loss prevention capabilities when combined with Chrome Enterprise Premium.

Protect the software supply

Securing the software supply — build artifacts and application dependencies — is a critical step in improving your software supply chain security. The widespread use of open source software makes this problem particularly challenging.

• Assured Open Source Software provides open source packages that Google has verified and tested. These packages are built using Google's secure pipelines and are regularly scanned, analyzed, and tested for vulnerabilities.

• Artifact Registry is a universal package manager for all your build artifacts and dependencies. By centralizing all your artifacts and dependencies, you have more visibility into and control over the code in your software supply chain.

  • Remote repositories store artifacts from preset external sources such as Docker Hub, Maven Central, the Python Package Index (PyPI), Debian or CentOS as well as user-defined sources for supported formats. Caching artifacts in remote repositories reduces download time, improves package availability, and includes vulnerability scanning if scanning is enabled.
  • Virtual repositories consolidate repositories of the same format behind a single endpoint and let you control the search order across upstream repositories. You can prioritize your private packages, which reduces the risk of dependency confusion attacks
  • You can also protect artifacts by configuring security features such as access control, VPC Service Controls service perimeters, organizational policies, and other security features. For details, see the Artifact Registry documentation.

• Artifact Analysis proactively detects vulnerabilities for artifacts in Artifact Registry.

  • Integrated on-demand or automated scanning for base container images and language packages in containers.
  • The ability to generate a software bill of materials (SBOM) and upload Vulnerability Exploitability eXchange (VEX) statements for the images in Artifact Registry.

Protect the CI/CD pipeline

Bad actors can attack software supply chains by compromising the CI/CD pipelines. The following products help you to secure your CI/CD pipeline:

• Cloud Build runs your builds on Google Cloud infrastructure. Security features include granular IAM permissions, VPC Service Controls, and isolated and ephemeral build environments. Features specific to software supply chain security include:

  • Support for SLSA Level 3 builds for container images.
  • Ability to generate authenticated and non-falsifiable build provenance for containerized applications.

  • Security insights for built applications. This includes:

    • The SLSA build level, which identifies the maturity level of your software build process in accordance with the SLSA specification.
    • Vulnerabilities in build artifacts.
    • Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.

  For instructions on viewing security insights for built applications, see Build an application and view security insights.

• Cloud Deploy automates delivery of your applications to a series of target environments in a defined sequence. It supports continuous delivery directly to Google Kubernetes Engine, GKE Enterprise, and Cloud Run, with one-click approvals and rollbacks, enterprise security and audit, as well as built-in delivery metrics. Additionally, it displays security insights for deployed applications.

Protect applications in production

Google Kubernetes Engine (GKE) and Cloud Run help secure the security posture of your runtime environments. They both come with security features to protect your applications at runtime.

• GKE can assess your container security posture and give active guidance around cluster settings, workload configuration, and vulnerabilities. GKE includes a security posture dashboard that provides opinionated, actionable recommendations to improve your security posture. For instructions on viewing security insights in the GKE security posture dashboard, see Deploy on GKE and view security insights.

• Cloud Run includes a security panel that displays software supply chain security insights such as the SLSA build level compliance info, build provenance, and vulnerabilities found in running services. For instructions on viewing security insights in the Cloud Run security insights panel, see Deploy on Cloud Run and view security insights.

Build a chain of trust through policy

Binary Authorization helps establish, maintain, and verify a chain of trust along your software supply chain by collecting attestations, which are digital documents that certify images.

An attestation signifies that the associated image was built by successfully executing a specific, required process. Based on these attestations collected, Binary Authorization helps define, verify, and enforce trust-based policies. It makes sure the image is deployed only when the attestations meet your organization's policy. You can configure Binary Authorization to notify you if it finds any policy violations.

For example, attestations can indicate that an image is:

• Built by Cloud Build.
• Does not contain vulnerabilities higher than a specified severity. If there are specific vulnerabilities that don't apply to your applications, you can add them to an allowlist.

You can use Binary Authorization with GKE and Cloud Run.

Pricing

Each Google Cloud service has its own pricing. For details, refer to the pricing documentation for the services you are interested in.

• Cloud Workstations
• Cloud Code: Available to all Google Cloud customers at no charge.
• Assured OSS: Contact the sales team for pricing information.
• Artifact Registry
• Artifact Analysis
• Cloud Build
• Cloud Deploy
• Cloud Run
• GKE
• Binary Authorization

What's next

• Learn about threats to software supply chains.
• Assess your existing security posture so that you can identify ways to strengthen it.
• Learn about practices to protect your software supply chain and how Google Cloud products supports these practices.