How Google Cloud is protecting the software supply chain in its increasing complexity

The software supply chain is not linear or simplistic: It is made up of many different components introduced at different times and in different phases. 

And, today’s software supply chains only continue to grow in complexity — a mix of proprietary, open-source and third-party code, configurations, binaries, libraries, plugins and other dependencies.

“Organizations and their software delivery pipelines are continually exposed to growing cyberattack vectors,” said Michael McGrath, VP of engineering, application ecosystem at Google Cloud.

Coupled with the “massive adoption” of open-source software, which now powers nearly all public infrastructure and is highly prevalent throughout proprietary software, “businesses around the world are more vulnerable than ever,” said McGrath. 

Thus, it is imperative for development and IT teams to secure supply chains across code, people, systems and processes — all of which contribute to software development and delivery, he said. To help organizations in the ongoing fight against cybercriminals, Google Cloud is today unveiling Software Delivery Shield (SDS). The tech giant will introduce the new end-to-end software supply chain security platform at Google Cloud Next ‘22. 

[Follow VentureBeat’s ongoing Google Cloud Next 2022 coverage »]

Ultimately, “today’s organizations need to be more vigilant in protecting their software development infrastructure and processes,” said McGrath. 

An increasingly complicated challenge to protect the software supply chain

A software supply chain attack occurs when a cyberthreat actor infiltrates a vendor’s network and employs malicious code to compromise software before the vendor sends it to customers, according to the National Institute of Standards and Technology (NIST). This compromised software, in turn, makes the customer’s data vulnerable.

In a recent study by Anchore, 62% of organizations surveyed were impacted by software supply chain attacks. Similarly, a study by Argon Security found that software supply chain attacks grew by more than 300% in 2021 compared to 2020. 

Attacks on open-source supply chains are of particular concern, with one report finding that open-source breaches increased by 650% in 2021. Furthermore, an annual survey by the Synopsys Cybersecurity Research Center revealed that 97% of codebases contained open-source components. It also found that 81% of those codebases had at least one known open-source vulnerability and 53% contained license conflicts. 

Undoubtedly one of the most notorious open-source attacks was SolarWinds, which began in 2020 and compromised enterprises and government entities alike — prompting a software bill of materials (SBOM) directive by President Biden. There was also the widespread, crippling Log4Shell vulnerability in the Log4j open-source library, which continues to be pervasive. 

“Software supply chain security is a complicated challenge,” said McGrath. 

He pointed out that attacks can take “many shapes and forms” all along the software supply chain, with common attack vectors being source threats, build threats and dependency threats. 

Five critical areas

To help combat this, the new SDS tool offers a modular set of capabilities to help developers, devops and security teams build secure cloud applications. The tool spans across Google Cloud services, from developer tooling to runtimes like Google Kubernetes Engine (GKE), Cloud Code, Cloud Build, Cloud Deploy, Artifact Registry and Binary Authorization (among others). 

As McGrath explained, SDS allows for an incremental adoption path so that organizations can tailor it and select the tools best suited to their existing environment and security priorities.

Shifting security left

Critical to SDS is Cloud Workstations, a new service that provides fully managed development environments on Google Cloud. It features built-in security measures such as VPC Service Controls (which define security perimeters around Google Cloud resources), no local storage of source code, private ingress/egress, forced image updates and identity access management (IAM) access policies. 

This all helps address common local development security pain points like code exfiltration, privacy risks and inconsistent configurations, McGrath explained. 

With Cloud Workstations, developers can ultimately access “secure, fast, and customizable development environments via a browser anytime and anywhere, with consistent configurations and customizable tooling,” said McGrath. 

At the same time, IT and security administrators can provision, scale, manage and secure development environments on Google Cloud’s infrastructure. 

This “plays a key role in shifting security to the left by enhancing the security posture of the application development environment,” said McGrath. 

SDS further allows devops teams to store, manage and secure build artifacts in Artifact Registry and detect vulnerabilities with integrated scanning provided by Container Analysis. This scans base images and now performs on-push vulnerability scanning of Maven and Go containers and for non-containerized Maven packages.

Open-source accountability

Another critical step in improving software supply chain security: Securing build artifacts and application dependencies. 

“The pervasive use of open-source software makes this problem particularly challenging,” said McGrath. 

To help address this, earlier this year Google introduced its Assured Open Source Software (AOSS) service, its first “curated” open-source service that aims to add a layer of accountability to today’s free or “as-is” open source. This is a key part of SDS, providing access to more than 250 curated and vetted open-source software packages across Java and Python, McGrath explained. 

These packages are built into Google Cloud’s secured pipelines and are “regularly scanned, analyzed and fuzz-tested for vulnerabilities,” he said. 

AOSS also automatically generates SBOMs, which inventory all components and dependencies involved in app development and delivery and identify potential risks.

Enforcing software supply chain validation

Another way that bad actors can attack software supply chains is by compromising CI/CD pipelines. 

To address this, SDS is integrated with Cloud Build, Google Cloud’s fully managed CI platform, and Cloud Deploy, its fully managed CD platform. These platforms come with built-in security features including granular IAM controls, isolated and ephemeral environments, approval gates and VPC service controls. These tools allow devops teams to better govern the build and deployment process, explained McGrath. 

Strengthening the security posture of the runtime environment is another crucial element in protecting the software supply chain. GKE protects applications while they are running; the tool features new built-in security management capabilities to help identify security concerns in GKE clusters and workloads, said McGrath.

These include detailed assessments, assignment of severity ratings and advice on the security posture of clusters and workloads, he explained. The GKE dashboard now points out which workloads are affected by a security concern and provides actionable guidance to address them. These concerns are logged and security event information can be routed to ticketing systems or a security information and event management (SIEM) system.

Meanwhile, Binary Authorization requires images to be signed by trusted authorities during the development process, and signature validation can be enforced during deployment. 

By enforcing validation, teams can gain tighter control over the container environment by ensuring that only verified images are integrated into the build-and-release process, explained McGrath. 

Google Cloud’s new offering is in response to widespread cries across industry, he said. “Development and IT teams are all asking for a better way to secure the software supply chain across the code, people, systems, and processes that contribute to development and delivery of the software,” he said.