Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Secure Continuous Delivery on Google Cloud

You're reading from  Secure Continuous Delivery on Google Cloud

Product type Book
Published in Apr 2024
Publisher Packt
ISBN-13 9781805129288
Pages 304 pages
Edition 1st Edition
Languages
Concepts
Authors (3):
Giovanni Galloro Giovanni Galloro
Profile icon Giovanni Galloro
LinkedIn
Giovanni Galloro has been working at Google since 2017 as a customer engineer specializing in container-based runtimes, DevOps tools, and application networking. He works with multiple organizations across EMEA, helping them to leverage these capabilities and improve their software delivery practices. Giovanni is a community ambassador for the Continuous Delivery Foundation and is a frequent speaker at developer conferences. Before Google, he worked at Microsoft, Red Hat, VMware, and HP, following the evolution of application platforms over the past 20 years.
See other products by Giovanni Galloro
Nathaniel Avery Nathaniel Avery
Profile icon Nathaniel Avery
LinkedIn
Nathaniel Avery works at Google as an outbound product manager for the Google Cloud Application Ecosystem group, specializing in DevOps tools, and has spoken to many Fortune 500 companies about DevOps tooling solutions. Before joining Google, Nate spent more than 20 years in IT designing, planning, and implementing complex systems, integrating custom-built and COTS applications for federal government customers. Currently, he's working on better ways to build and use cloud resources to help customers deliver better products, safely and securely, without sacrificing velocity.
See other products by Nathaniel Avery
David Dorbin David Dorbin
Profile icon David Dorbin
LinkedIn
David Dorbin has been a technical writer for more than three decades. He's been with Google for more than a dozen years, documenting payment applications, internal tools, and Google Cloud DevOps products. Before Google, he worked with numerous start-ups and established companies, documenting technologies in payment processing, digital publishing and rights management, consumer electronics, and cryptography for financial institutions. In his free time, Dave enjoys playing bass and banjolele (but never at the same time), or doing more damage to his Achilles' heel on the streets and trails of northern New Jersey.
See other products by David Dorbin
View More author details

Table of Contents (19) Chapters

Preface 1. Part 1:Introduction and Code Your Application
2. Chapter 1: Introducing Continuous Delivery and Software Supply Chain Security 3. Chapter 2: Using Skaffold for Development, Build, and Deploy 4. Chapter 3: Developing and Testing with Cloud Code 5. Chapter 4: Securing Your Code with Cloud Workstations 6. Part 2: Build and Package Your Application
7. Chapter 5: Automating Continuous Integration with Cloud Build 8. Chapter 6: Securely Store Your Software on Artifact Registry 9. Part 3: Deploy and Run Your Application
10. Chapter 7: Exploring Runtimes – GKE, GKE Enterprise, and Cloud Run 11. Chapter 8: Automating Software Delivery Using Cloud Deploy 12. Chapter 9: Securing Your Runtimes with Binary Authorization 13. Part 4: Hands-On Secure Pipeline Delivery and Looking Forward
14. Chapter 10: Demonstrating an End-to-End Software Delivery Pipeline 15. Chapter 11: Integrating with Your Organization’s Workflows 16. Chapter 12: Diving into Best Practices and Trends in Continuous Delivery 17. Index 18. Other Books You May Enjoy

Securing your software delivery pipeline

Software production and delivery can be viewed as a supply chain in which the same developer can be both a software producer (by developing software) and a consumer (by using existing software as a dependency for the app being developed).

This section is a high-level overview of some of the security threats against a software delivery pipeline, as well as some best practices that help protect against those threats. In later chapters, we describe how to implement some of the best practices, using Google Cloud-managed services.

First, let’s look at the security of your source code.

Source code management threats and remediations

Threats to source code management systems affect the security of the source code. These threats can come from the code itself (for example, submitting source code that is unintentionally or intentionally vulnerable) or can be threats to the source control platform, which can be compromised in different ways. The next section lists some practices to help ensure your source code is safe.

Source code management security best practices

The following is a list of security best practices to protect the integrity of your source code:

  • Repository configuration: Configure repositories using a secure, automated method that offers preconfigured templates based on the application’s security level.

    Enforce centralized identity management with multi-factor authentication (MFA) for users, ensuring updated access privileges. Limit repository ownership to a few trusted employees, integrate identity management systems, and require dual approval for merges to enhance security.

  • Code reviews: Code reviews are one of the most important practices to ensure software quality and security and should always be part of a secure software supply chain.

    Reviewers should be assigned to a repository application or a specific commit based on expertise in the programming language and relevant security risks. Perform code reviews on feature-branch pull requests as soon as developers are ready.

    In addition to human code reviews, implement static code analysis tools.

  • Merge approvals: Establish a select group of trusted individuals to authorize merges into production branches. For applications with stricter security requirements, implement a process that requires more than one approver.

Now, let’s look at security for your build process.

Build threats and remediations

The following are some examples of security threats to the artifact build process and tools:

  • Builds that use modified source code (not from a trusted source control system)
  • Compromise of the build system
  • Artifacts built outside of the official build system and process
  • Compromise of the artifact storage system

The following section lists some practices to help ensure the security of your build process.

Build security best practices

The Supply-chain Levels for Software Artifacts (SLSA) specification defines a set of build-security best practices. These are established by multiple software-industry organizations under the Open Source Security Foundation (OpenSSF) (https://openssf.org/).

SLSA (http://slsa.dev) is a specification meant to help you describe and improve your software supply chain security. It’s structured as a series of tracks, each one covering an aspect of supply chain security, and levels, with each level offering progressively stronger security guidelines and requirements for each track.

At the time of this writing, the SLSA specification is at version 1.0, the first stable release of SLSA. SLSA v1.0 consists of only one track: Build. Future versions of SLSA will add tracks that cover other parts of the software supply chain.

Each level includes a set of requirements for the build process: lower-level requirements are easier to implement but provide lower security guarantees. Higher-level requirements are harder and usually more expensive to adopt but demonstrate that tougher security guidelines have been adopted for software build practices.

The level-based structure also allows you to incrementally adopt the guidelines, progressively improving the security posture of your software supply chain.

The primary goal of the SLSA Build track is to attest and verify that an artifact was built as expected. This is done mainly by generating build provenance, which software consumers can verify. The SLSA v1.0 Build track includes three levels: L1 to L3. There is also an L0 level, which refers to software that doesn’t meet any SLSA requirements. The following table summarizes the build levels:

Track/Level

Requirements

Focus

Build L0

None

N/A

Build L1

Provenance showing how the package was built

Mistakes, documentation

Build L2

Signed provenance, generated by a hosted build platform

Tampering after the build

Build L3

Hardened build platform

Tampering during the build

Table 1.1 – SLSA v1 Build tracks

These security levels, and descriptions thereof, are from the SLSA specification, version 1.0, courtesy of the SLSA Working Group. You can find more details on the requirements for each level at http://slsa.dev.

In the next section, we’ll talk about threats in your code’s dependencies and some practices for remediating those threats.

Dependency threats and remediations

Dependency threats are vulnerabilities or intentionally malicious code in any software that your application depends on.

Dependency management best practices

The following is a list of security best practices for managing dependencies:

  • Scan dependencies for vulnerabilities: Integrate a scanning tool into the development and build workflow that identifies vulnerabilities, using databases such as the National Institute of Standards of Technology National Vulnerability Database (NIST NVD).
  • Store dependencies in a private registry: A private registry offers the convenience of a public repository, with enhanced control over dependencies. It can provide capabilities such as access control, vulnerability scanning, and repository management.
  • Remove unused dependencies: Regularly cleaning up unneeded dependencies keeps your application lean and nimble, improving its performance and reducing its attack surface. This proactive approach helps minimize potential security risks associated with outdated or irrelevant dependencies.
  • Use open source tools to track dependency insights: Various tools can help you to get information on dependencies. Here are two examples:
    • Open Source Insights (https://deps.dev/): A website that provides information about software packages vulnerabilities and licenses.
    • Open Source Vulnerability (OSV) Database (https://osv.dev/): A searchable vulnerability database.

This section described how to secure your software delivery pipeline, including a look at how your code and its dependencies can face vulnerabilities.

arrow left Previous Chapter
Chapter 1 of 19
Next Chapter arrow right
You have been reading a chapter from
Secure Continuous Delivery on Google Cloud
Published in: Apr 2024 Publisher: Packt ISBN-13: 9781805129288
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (3)

Left arrow icon
Profile icon Giovanni Galloro
LinkedIn
Giovanni Galloro has been working at Google since 2017 as a customer engineer specializing in container-based runtimes, DevOps tools, and application networking. He works with multiple organizations across EMEA, helping them to leverage these capabilities and improve their software delivery practices. Giovanni is a community ambassador for the Continuous Delivery Foundation and is a frequent speaker at developer conferences. Before Google, he worked at Microsoft, Red Hat, VMware, and HP, following the evolution of application platforms over the past 20 years.
Read more
See other products by Giovanni Galloro
Profile icon Nathaniel Avery
LinkedIn
Nathaniel Avery works at Google as an outbound product manager for the Google Cloud Application Ecosystem group, specializing in DevOps tools, and has spoken to many Fortune 500 companies about DevOps tooling solutions. Before joining Google, Nate spent more than 20 years in IT designing, planning, and implementing complex systems, integrating custom-built and COTS applications for federal government customers. Currently, he's working on better ways to build and use cloud resources to help customers deliver better products, safely and securely, without sacrificing velocity.
Read more
See other products by Nathaniel Avery
Profile icon David Dorbin
LinkedIn
David Dorbin has been a technical writer for more than three decades. He's been with Google for more than a dozen years, documenting payment applications, internal tools, and Google Cloud DevOps products. Before Google, he worked with numerous start-ups and established companies, documenting technologies in payment processing, digital publishing and rights management, consumer electronics, and cryptography for financial institutions. In his free time, Dave enjoys playing bass and banjolele (but never at the same time), or doing more damage to his Achilles' heel on the streets and trails of northern New Jersey.
Read more
See other products by David Dorbin
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon