15 Things I Learnt from Google on Shifting Left in Security

With software supply chain attacks on the rise, there has never been a better time to “shift left” on SDLC security. Google’s white paper offers high-signal insights that you can adopt today.

Want to know what I picked up from the white paper? Read on.

1. To secure a pipeline, accumulate trust for artifacts progressing through the pipeline.
2. Trust can be recorded as implicit or explicit. Aspire to replace implicit trust with explicit, digitally verifiable trust.
3. Trust accrues as an artifact advances through the pipeline, from dev-test through production.
4. Validate this trust using digital attestations as evidence. Create attestations for each stage and/or signer responsible for the validation.
5. Digitally represent all parties that are directly or indirectly associated with building software.
6. Use declarative infrastructure (infra-as-code) to improve consistency, immutability and frequency of deployment.
7. Use digital signatures to verify machine and OS integrity before infrastructure deployment.
8. Digitally sign code commits. Automate tests. Identify malicious code early.
9. Ensure that secrets, PII and sensitive info is not leaked through logging output.
10. Use a license scanner to gather the OSS licenses of dependencies.
11. Build artifacts with immutability in mind. Use distroless base images as lightweight alternatives with significantly lower threat surface.
12. Scan images published to an artifact repository for CVEs and store the resulting metadata using an image digest.
13. Restrict deployments to only those coming from a known list of repositories.
14. Codify company governance and compliance policies (policy-as-code). Store these policies independently of application source code.
15. Institute a break-glass process that supports speed without giving up security.