Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Secure Continuous Delivery on Google Cloud
  • Table Of Contents Toc
  • Feedback & Rating feedback
Secure Continuous Delivery on Google Cloud

Secure Continuous Delivery on Google Cloud

By : Galloro, Avery, Dorbin
5 (3)
Buy this Book
close
close
Secure Continuous Delivery on Google Cloud

Secure Continuous Delivery on Google Cloud

5 (3)
By: Galloro, Avery, Dorbin
Buy this Book

Overview of this book

Continuous delivery, a cornerstone of modern software engineering, facilitates quick and secure software delivery using a robust toolkit encompassing automated builds, testing, source code management, artifact storage, and deployment. Whether you integrate tools from different providers or use a set of managed services from a single cloud provider, the goal is to streamline setup, integration, and management. This book focuses on continuous delivery on Google Cloud. Starting with an introduction to continuous delivery and secure software supply chain concepts, this book uses hands-on exercises to demonstrate how to continuously test your application with Skaffold and Cloud Code, leverage AI-assisted code generation with Cloud Code and Cloud Workstations, and automate your continuous integration with Cloud Build. You’ll see how to store and scan your software artifacts on Artifact Registry, orchestrate deployments with Cloud Deploy, and release your software on GKE and Cloud Run, configured to admit only trusted code. Using an example application, you’ll implement tools for creating an end-to-end delivery pipeline using Google Cloud services. By the end of this book, you’ll be able to build a secure software delivery pipeline from development to production using Google Cloud managed services and best practices.
Table of Contents (19 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1:Introduction and Code Your Application
Part 1:Introduction and Code Your Application
Free Chapter
2
Chapter 1: Introducing Continuous Delivery and Software Supply Chain Security
chevron up
Chapter 1: Introducing Continuous Delivery and Software Supply Chain Security
Introduction to CD
Understanding continuous integration
Understanding continuous testing
Understanding deployment automation
Securing your software delivery pipeline
Summary
3
Chapter 2: Using Skaffold for Development, Build, and Deploy
Chapter 2: Using Skaffold for Development, Build, and Deploy
Technical requirements
Understanding Skaffold’s capabilities and architecture
Installing Skaffold
Using Skaffold with your application
Summary
4
Chapter 3: Developing and Testing with Cloud Code
Chapter 3: Developing and Testing with Cloud Code
Technical requirements
About Cloud Code
Continuously deploying and testing locally while you code
Creating a GKE cluster from your editor
Continuously deploying and testing a Kubernetes app remotely while you code
Debugging
Code with AI assistance
Cleaning up
Summary
5
Chapter 4: Securing Your Code with Cloud Workstations
Chapter 4: Securing Your Code with Cloud Workstations
Technical requirements
Introduction to Cloud Workstations
Configuring workstations for developers
Customizing Cloud Workstations
Coding on Cloud Workstations
Cleaning up
Summary
6
Part 2: Build and Package Your Application
Part 2: Build and Package Your Application
7
Chapter 5: Automating Continuous Integration with Cloud Build
Chapter 5: Automating Continuous Integration with Cloud Build
Technical requirements
Cloud Build architecture and capabilities
Building your application manually
Customizing your build workers
Generating security information for your build
Automating builds
Summary
8
Chapter 6: Securely Store Your Software on Artifact Registry
Chapter 6: Securely Store Your Software on Artifact Registry
Technical requirements
Managing container images with Artifact Registry
Managing language package distribution with Artifact Registry
Using virtual and remote repositories
Using vulnerability scanning to detect threats
Summary
References
9
Part 3: Deploy and Run Your Application
Part 3: Deploy and Run Your Application
10
Chapter 7: Exploring Runtimes – GKE, GKE Enterprise, and Cloud Run
Chapter 7: Exploring Runtimes – GKE, GKE Enterprise, and Cloud Run
Understanding containers
Understanding Google Kubernetes Engine
Understanding GKE Enterprise
Understanding Cloud Run
Summary
References
11
Chapter 8: Automating Software Delivery Using Cloud Deploy
Chapter 8: Automating Software Delivery Using Cloud Deploy
Technical requirements
Exploring the Cloud Deploy architecture
Understanding Cloud Deploy target types
Using the Kubernetes manifest and Kustomization
Using a Skaffold configuration
Preparing your project
Creating a delivery pipeline
Creating a release
Examining a release
Verifying your deployment
Using a deployment strategy
Summary
12
Chapter 9: Securing Your Runtimes with Binary Authorization
Chapter 9: Securing Your Runtimes with Binary Authorization
Technical requirements
Understanding Binary Authorization concepts
Setting up Binary Authorization
Setting up attestations
Configuring Binary Authorization policies
Summary
13
Part 4: Hands-On Secure Pipeline Delivery and Looking Forward
Part 4: Hands-On Secure Pipeline Delivery and Looking Forward
14
Chapter 10: Demonstrating an End-to-End Software Delivery Pipeline
Chapter 10: Demonstrating an End-to-End Software Delivery Pipeline
Technical requirements
Software delivery pipeline overview
Building your software delivery pipeline
Running your pipeline
Summary
15
Chapter 11: Integrating with Your Organization’s Workflows
Chapter 11: Integrating with Your Organization’s Workflows
Technical requirements
Connecting a Cloud Build trigger to a third-party repository
Integrating Cloud Deploy with automated testing
Integrating Cloud Deploy approval with third-party workflow management tools
Summary
16
Chapter 12: Diving into Best Practices and Trends in Continuous Delivery
Chapter 12: Diving into Best Practices and Trends in Continuous Delivery
Best practices for deploying secure delivery pipelines
Anticipating the future
Summary
References
17
Index
Index
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Securing your software delivery pipeline

Software production and delivery can be viewed as a supply chain in which the same developer can be both a software producer (by developing software) and a consumer (by using existing software as a dependency for the app being developed).

This section is a high-level overview of some of the security threats against a software delivery pipeline, as well as some best practices that help protect against those threats. In later chapters, we describe how to implement some of the best practices, using Google Cloud-managed services.

First, let’s look at the security of your source code.

Source code management threats and remediations

Threats to source code management systems affect the security of the source code. These threats can come from the code itself (for example, submitting source code that is unintentionally or intentionally vulnerable) or can be threats to the source control platform, which can be compromised in different ways. The next section lists some practices to help ensure your source code is safe.

Source code management security best practices

The following is a list of security best practices to protect the integrity of your source code:

  • Repository configuration: Configure repositories using a secure, automated method that offers preconfigured templates based on the application’s security level.

    Enforce centralized identity management with multi-factor authentication (MFA) for users, ensuring updated access privileges. Limit repository ownership to a few trusted employees, integrate identity management systems, and require dual approval for merges to enhance security.

  • Code reviews: Code reviews are one of the most important practices to ensure software quality and security and should always be part of a secure software supply chain.

    Reviewers should be assigned to a repository application or a specific commit based on expertise in the programming language and relevant security risks. Perform code reviews on feature-branch pull requests as soon as developers are ready.

    In addition to human code reviews, implement static code analysis tools.

  • Merge approvals: Establish a select group of trusted individuals to authorize merges into production branches. For applications with stricter security requirements, implement a process that requires more than one approver.

Now, let’s look at security for your build process.

Build threats and remediations

The following are some examples of security threats to the artifact build process and tools:

  • Builds that use modified source code (not from a trusted source control system)
  • Compromise of the build system
  • Artifacts built outside of the official build system and process
  • Compromise of the artifact storage system

The following section lists some practices to help ensure the security of your build process.

Build security best practices

The Supply-chain Levels for Software Artifacts (SLSA) specification defines a set of build-security best practices. These are established by multiple software-industry organizations under the Open Source Security Foundation (OpenSSF) (https://openssf.org/).

SLSA (http://slsa.dev) is a specification meant to help you describe and improve your software supply chain security. It’s structured as a series of tracks, each one covering an aspect of supply chain security, and levels, with each level offering progressively stronger security guidelines and requirements for each track.

At the time of this writing, the SLSA specification is at version 1.0, the first stable release of SLSA. SLSA v1.0 consists of only one track: Build. Future versions of SLSA will add tracks that cover other parts of the software supply chain.

Each level includes a set of requirements for the build process: lower-level requirements are easier to implement but provide lower security guarantees. Higher-level requirements are harder and usually more expensive to adopt but demonstrate that tougher security guidelines have been adopted for software build practices.

The level-based structure also allows you to incrementally adopt the guidelines, progressively improving the security posture of your software supply chain.

The primary goal of the SLSA Build track is to attest and verify that an artifact was built as expected. This is done mainly by generating build provenance, which software consumers can verify. The SLSA v1.0 Build track includes three levels: L1 to L3. There is also an L0 level, which refers to software that doesn’t meet any SLSA requirements. The following table summarizes the build levels:

Track/Level

Requirements

Focus

Build L0

None

N/A

Build L1

Provenance showing how the package was built

Mistakes, documentation

Build L2

Signed provenance, generated by a hosted build platform

Tampering after the build

Build L3

Hardened build platform

Tampering during the build

Table 1.1 – SLSA v1 Build tracks

These security levels, and descriptions thereof, are from the SLSA specification, version 1.0, courtesy of the SLSA Working Group. You can find more details on the requirements for each level at http://slsa.dev.

In the next section, we’ll talk about threats in your code’s dependencies and some practices for remediating those threats.

Dependency threats and remediations

Dependency threats are vulnerabilities or intentionally malicious code in any software that your application depends on.

Dependency management best practices

The following is a list of security best practices for managing dependencies:

  • Scan dependencies for vulnerabilities: Integrate a scanning tool into the development and build workflow that identifies vulnerabilities, using databases such as the National Institute of Standards of Technology National Vulnerability Database (NIST NVD).
  • Store dependencies in a private registry: A private registry offers the convenience of a public repository, with enhanced control over dependencies. It can provide capabilities such as access control, vulnerability scanning, and repository management.
  • Remove unused dependencies: Regularly cleaning up unneeded dependencies keeps your application lean and nimble, improving its performance and reducing its attack surface. This proactive approach helps minimize potential security risks associated with outdated or irrelevant dependencies.
  • Use open source tools to track dependency insights: Various tools can help you to get information on dependencies. Here are two examples:
    • Open Source Insights (https://deps.dev/): A website that provides information about software packages vulnerabilities and licenses.
    • Open Source Vulnerability (OSV) Database (https://osv.dev/): A searchable vulnerability database.

This section described how to secure your software delivery pipeline, including a look at how your code and its dependencies can face vulnerabilities.

End of Section 6
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY