Supply chain security
Contemporary software development frameworks and methodologies prioritise shared ownership among software stakeholders in addition to product delivery speed and dependability.
Secure Software Supply Chain
Many other DevOps approaches help produce software that is more safe, in addition to the concept of shifting left on security. Practices that can enhance software security include increased stakeholder participation, work visibility, reproducible builds, automated testing, and gradual modifications. Actually, the Accelerate State of DevOps Report 2022 discovered that the usage of CI/CD aids in the implementation of security procedures, and that cultures with higher levels of trust are more likely to embrace techniques to fortify the software supply chain.
Modern development frameworks, however, do not provide organisations with the direction they need to comprehend software hazards, evaluate their capacity to identify and address threats, and put mitigations in place. Additionally, they frequently overlook outside variables that may have an impact on the integrity of applications in favour of concentrating only on the code and internal organisational procedures. An attack that compromises an open-source software package, for instance, affects any code that depends on it, either directly or indirectly. Attacks like these on the software supply chain have significantly grown around 2020.
Software Supply Chain Security
A software supply chain is made up of all the code, personnel, procedures, and organisational structures that go into creating and delivering software, both internally and externally to your company. It consists of:
- The software you use to develop, produce, package, install, and run your software, as well as the dependencies it has, are all included in this.
- procedures and guidelines for testing, reviewing, monitoring, providing comments, communicating, and approving access to the system.
- Systems you can rely on to design, construct, store, and execute your dependencies and software.
There are many ways to make unauthorised changes to the software that you provide to your consumers, given the scope and intricacy of the software supply chain. Throughout the programme life cycle, several attack vectors are present. While some attacks, like the one on the Solar Winds build system, are directed, other risks are indirect and slip into the supply chain as a result of carelessness or process flaws.
In December 2021, for instance, the Google Open Source Insights team mentioned in a blog post on the remote execution vulnerability in Apache log4j that more than 17,000 packages in Maven Central were impacted. The majority of the impacted packages had dependencies that needed the vulnerable log4j-core package, but they did not directly depend on it.
Security Supply Chain
Process flaws that allow harmful code to inadvertently get into the supply chain include the absence of security requirements for production deployment or code review. Similar to this, if you package and deploy apps from systems outside your trusted build system and artefact repositories or create with source code outside your trusted version control system, harmful malware may enter your programme.
The 2021 State of the Software Supply Chain saw more open source and supply chain attacks:
- The number of software supply chain attacks increased 650% in 2021.
- Open source apps were downloaded 73% more in 2021 than 2020.
- Popular open source projects tend to have the highest frequency of vulnerabilities.
Comprehending your organization’s security posture is crucial for safeguarding the integrity of your software, as it determines your ability to identify, address, and resolve security risks.
Frameworks for assessments and compliance requirements
Government regulations that are particular to supply chain security have been created as a result of growing concerns about supply chain security. These policies include:
- The Executive Orders of the United States
- Supply Chains in America Boosting Cybersecurity in the Country
- The Network and Information Security 2 Directive of the European Union
Organisations can evaluate their security posture and learn about threat mitigation with the aid of new frameworks that are being developed.
- Google’s software security procedures served as the model for the open-source framework Supply Chain Levels for Software Artefacts (SLSA).
- Frameworks created by governmental bodies, like:
- NIST produces the Secure Software Development Framework (SSDF) and Cybersecurity Assessment Framework (UK).
- These frameworks structure well-established software security techniques to make it easier to identify security problems and determine how to reduce them.
On Google Cloud, safeguard your software supply chain
On Google Cloud, Software Delivery Shield offers a completely managed software supply chain security solution. It integrates best practices, including those found in NIST SSDF and SLSA frameworks. You progressively accept the solution’s components in accordance with your demands and objectives.
For contemporary businesses, maintaining the security of the software supply chain is a challenging task. Improving overall security requires first securing the software supply chain, including build artefacts like container images.They are introducing software supply chain security analytics for your Google Kubernetes Engine workloads in the GKE Security Posture dashboard to give you integrated, centralised visibility into your applications.
Your GKE clusters’ and your containerised workloads’ security posture can be enhanced with the help of Google cloud integrated GKE Security Posture dashboard, which offers expert advice. Workload configuration checks and insights into vulnerabilities are included. Additionally, the dashboard makes it evident which workloads are impacted by security issues and offers practical advice on how to fix them.
GKE Security Posture
GKE security posture dashboard transparency
Within the GKE Security posture dashboard, Google cloud are introducing a new “Supply Chain” card to increase transparency and control over your software supply chain. This functionality is now in public preview and gives you the ability to visualise supply chain risks related to your GKE workloads.
In this first release, offer two important insights
- Images that are out of date: Find any picture that hasn’t been updated in the last 30 days. This could expose you to new vulnerabilities.
- Get information about photos that are still using the generic “latest” tag, which impedes accurate version management and traceability.
Your images operating in GKE clusters are scanned by Google cloud Binary Authorization service. On the “Supply Chain” card, you can see an overview of the issues, and on the “Concerns” tab of the GKE Security Posture dashboard, you can drill down for more information.
To view the supply chain concerns, take the following actions
- Open the Google Cloud console and navigate to the GKE Security Posture page. Note: If you haven’t already, you must enable Security Posture.
- Select “Enable Binary Authorization API” from the “Supply Chain” card, and then click “Enable.”
- Select “Enable” on the “Supply Chain” pop-up that appears next.
- Within fifteen minutes, issues with “image freshness” or “latest tag” will show up on the “Supply Chain” card.
- Select a concern to view its details. A list of the workloads that are impacted by the selected issue will appear on the “Affected Workloads” page.
Start now
As part of Google cloud continuous effort to improve workload security, Google cloud are releasing this initial release of GKE Security Posture to address supply chain concerns. Google cloud want to provide more advanced supply chain issues in the upcoming months, which will strengthen security and increase workload transparency for you.
