Skip to content

Securing the CI/CD pipelines on Google Cloud

Securing the software supply chain by implementing security best practices in CI/CD pipelines on Google Cloud.

Type
Talk
Category
DevOps
Level
Advanced
Duration
40 mins
Language
English

Events

Name Organizer Date Location Attendees Links
Hiver's Connect Manila 2023 Design Hive 2023-09-23 Asia Pacific College, Makati, Philippines 50 📊 Slide Deck
devops cicd security slsa software-supply-chain binary-authorization cloud-build artifact-registry gke cloud-run
QR Code for this session
QR Code

Abstract

As organizations accelerate their digital transformation, the software development life cycle (SDLC) has become a primary target for sophisticated cyberattacks. From the SolarWinds breach to the Log4Shell vulnerability, the security of the software supply chain is now a critical priority for DevOps and Security teams alike. This session explores the fundamental concepts of Continuous Integration and Continuous Delivery (CI/CD) through the lens of security, introducing the "Shift Left" philosophy to identify and mitigate risks as early as the development phase.

This talk dives deep into Google Cloud's holistic approach to securing the software supply chain (S3C). Participants will learn how to leverage tools like Cloud Workstations for managed development environments, Assured Open Source Software for curated and scanned dependencies, and Cloud Build for achieving SLSA Level 3 compliance with automated build provenance. The session also discusses how Binary Authorization acts as a gatekeeper, ensuring only trusted and verified artifacts are deployed to GKE or Cloud Run. By the end of this talk, attendees will have a clear roadmap and architectural blueprint for building resilient, tamper-evident, and secure CI/CD pipelines that protect an organization's most valuable software assets.

Outline

  • The growing threat to software supply chains (SolarWinds, Log4Shell)
  • Shift Left: catching vulnerabilities at the source
  • Google Cloud's S3C approach: an end-to-end framework
  • Cloud Workstations: secure managed development environments
  • Assured OSS + Cloud Build: verified dependencies and SLSA Level 3 provenance
  • Binary Authorization: the final deployment gatekeeper
  • Architecture blueprint for a resilient, tamper-evident CI/CD pipeline

Key Takeaways

  • CI/CD pipelines are now a primary attack surface in the modern SDLC
  • "Shift Left" means baking security into development, not bolting it on at deployment
  • SLSA Level 3 with Cloud Build provides cryptographic, tamper-evident build provenance
  • Binary Authorization ensures only verified, signed artifacts are ever deployed to GKE or Cloud Run
  • Google Cloud's S3C tools compose into a complete, layered supply chain security posture