Google Cloud provides a comprehensive and modular set ofcapabilities and tools across Google Cloud products that your developers,DevOps, and security teams can use to improve the security posture of yoursoftware supply chain.

Software supply chains

Asoftware supply chain consists of all the code, people, systems, andprocesses that contribute to development and delivery of your software, bothinside and outside of your organization. It includes:

• Code you create, its dependencies, and the internal and external softwareyou use to develop, build, package, install, and run your software.
• Processes and policies for system access, testing, review, monitoringand feedback, communication, and approval.
• Systems you trust to develop, build, store, and run your software and itsdependencies.

Given the broad reach and complexity of software supply chains, there arenumerous ways to introduce unauthorized changes to the software that youdeliver to your users. Theseattack vectors span thesoftware lifecycle. While some attacks are targeted, such as the attack on theSolarWinds build system, other threats areindirect or enter the supply chain through weaknesses in process or neglect.

For example, an assessment of theApache Log4j vulnerability in December 2021 by theGoogle Open Source Insights team found that there were over 17,000 affectedpackages in Maven Central. Most of these packages did not depend directlyon the vulnerablelog4j-core package, but had dependencies that required thepackage.

Development practices and processes also impact software supply chains. Processgaps such as lack of code review or security criteria for deployment toproduction can allow bad code to unintentionally enter the supply chain.Similarly, lack of dependency management increases the risk of vulnerabilitiesfrom external source or software packages that you use for development, builds,or deployment.

Safeguard software supply chains on Google Cloud

Google Cloud provides:

• Products and features that incorporate security best practicesfor development, building, testing, deployment, and policy enforcement.
• Dashboards in the Google Cloud console that provide security information aboutsource, builds, artifacts, deployments, and runtimes. This information includesvulnerabilities in build artifacts, build provenance, andSoftware Bill of Materials (SBOM)dependency lists.
• Information identifying the maturity level of your software supply chainsecurity using theSupply chain Levels for Software Artifacts (SLSA) framework.

The following diagram shows Google Cloud services that work togetherto protect the software supply chain. You can integrate some or all of thesecomponents into your software supply chain to improve your security posture.

Protect the development environment

Cloud Workstations providesfully-managed development environments on Google Cloud. IT and securityadministrators can provision, scale, manage, and protect their developmentenvironments. Developers can access development environments with consistentconfigurations and customizable tooling.

Cloud Workstations shifts security left by enhancing the securityposture of your application development environments. Security featuresinclude VPC Service Controls, private ingress or egress, forced image update, andIdentity and Access Management access policies. Cloud Workstations provides additionaldata loss prevention capabilities when combined with Chrome Enterprise Premium.

Protect the software supply

Securing the software supply — build artifacts and application dependencies — isa critical step in improving your software supply chain security. The widespreaduse of open source software makes this problem particularly challenging.

• Assured Open Source Software provides opensource packages that Google has verified and tested. These packages arebuilt using Google's secure pipelines and are regularly scanned, analyzed,and tested for vulnerabilities.

• Artifact Registry is a universal package manager for all your buildartifacts and dependencies. By centralizing all your artifacts and dependencies,you have more visibility into and control over the code in your software supplychain.

  • Remote repositoriesstore artifacts from preset external sources such as Docker Hub, MavenCentral, the Python Package Index (PyPI), Debian or CentOS as well asuser-defined sources forsupported formats. Caching artifactsin remote repositories reduces download time, improves package availability,and includes vulnerability scanning if scanning is enabled.
  • Virtual repositories consolidate repositories of the same formatbehind a single endpoint and let you control the search order across upstreamrepositories. You can prioritize your private packages, which reduces the riskofdependency confusion attacks
  • You can also protect artifacts by configuring security features such asaccess control, VPC Service Controls service perimeters, organizational policies,and other security features. For details, see theArtifact Registrydocumentation.

• Artifact Analysis proactively detects vulnerabilities forartifacts in Artifact Registry.

  • Integratedon-demand orautomated scanning forbase container images and language packages in containers.
  • The ability togenerate a software bill of materials (SBOM) and uploadVulnerability Exploitability eXchange (VEX) statements for theimages in Artifact Registry.

Protect the CI/CD pipeline

Bad actors can attack software supply chains by compromising the CI/CDpipelines. The following products help you to secure your CI/CD pipeline:

• Cloud Build runs your builds on Google Cloudinfrastructure. Security features include granular IAMpermissions, VPC Service Controls, and isolated and ephemeral buildenvironments. Features specific to software supply chain security include:

  • Support forSLSA Level 3 builds for container images.
  • Ability to generate authenticated and non-falsifiablebuild provenance forcontainerized applications.

  • Security insightsfor built applications. This includes:

    • The SLSA build level, which identifies the maturity level of your softwarebuild process in accordance with theSLSA specification.
    • Vulnerabilities in build artifacts.
    • Build provenance, which is a collection of verifiable metadata about abuild. It includes details such as the digests of the built images, theinput source locations, the build toolchain, build steps, and the build duration.

  For instructions on viewing security insights for built applications, seeBuild an application and view security insights.

• Cloud Deploy automates delivery of yourapplications to a series of target environments in a defined sequence. Itsupports continuous delivery directly to Google Kubernetes Engine, GKE Enterprise, andCloud Run, with one-click approvals and rollbacks, enterprisesecurity and audit, as well as built-in delivery metrics. Additionally,itdisplays security insights for deployed applications.

Protect applications in production

Google Kubernetes Engine (GKE)andCloud Run help securethe security posture of your runtime environments. They both come withsecurity features to protect your applications at runtime.

• GKE can assess your container security posture and give activeguidance around cluster settings, workload configuration, and vulnerabilities.GKE includes a security posture dashboard that providesopinionated, actionable recommendations to improve your security posture.For instructions on viewing security insights in the GKE securityposture dashboard, seeDeploy on GKE and view security insights.

• Cloud Run includes a security panel that displays softwaresupply chain security insights such as the SLSA build level compliance info,build provenance, and vulnerabilities found in running services. Forinstructions on viewing security insights in the Cloud Run securityinsights panel, seeDeploy on Cloud Run and view security insights.

Build a chain of trust through policy

Binary Authorization helps establish, maintain, and verify a chain of trust alongyour software supply chain by collectingattestations, which are digitaldocuments that certify images.

An attestation signifies that the associated image was built by successfullyexecuting a specific, required process. Based on these attestations collected, Binary Authorization helps define, verify, and enforce trust-based policies. Itmakes sure the image is deployed only when the attestations meet yourorganization's policy. You can configure Binary Authorization to notify you ifit finds any policy violations.

For example, attestations can indicate that an image is:

• Built by Cloud Build.
• Does not contain vulnerabilities higher than a specified severity.If there are specific vulnerabilities that don't apply to yourapplications, you can add them to an allowlist.

You can use Binary Authorization with GKE and Cloud Run.

Pricing

Each Google Cloud service has its own pricing. For details, refer to thepricing documentation for the services you are interested in.

• Cloud Workstations
• Cloud Code: Available to all Google Cloud customers at nocharge.
• Assured OSS: Contact thesales team for pricinginformation.
• Artifact Registry
• Artifact Analysis
• Cloud Build
• Cloud Deploy
• Cloud Run
• GKE
• Binary Authorization

What's next

• Learn about threats to software supply chains.
• Assess your existing security posture so that you can identify waysto strengthen it.
• Learn aboutpractices to protect your software supply chain andhow Google Cloud products supports these practices.