15 Things I Learnt from Google on Shifting Left in Security
With software supply chain attacks on the rise, there has never been a better time to “shift left” on SDLC security. Google’s white paper offers high-signal insights that you can adopt today.
Want to know what I picked up from the white paper? Read on.
- To secure a pipeline, accumulate trust for artifacts progressing through the pipeline.
- Trust can be recorded as implicit or explicit. Aspire to replace implicit trust with explicit, digitally verifiable trust.
- Trust accrues as an artifact advances through the pipeline, from dev-test through production.
- Validate this trust using digital attestations as evidence. Create attestations for each stage and/or signer responsible for the validation.
- Digitally represent all parties that are directly or indirectly associated with building software.
- Use declarative infrastructure (infra-as-code) to improve consistency, immutability and frequency of deployment.
- Use digital signatures to verify machine and OS integrity before infrastructure deployment.
- Digitally sign code commits. Automate tests. Identify malicious code early.
- Ensure that secrets, PII and sensitive info is not leaked through logging output.
- Use a license scanner to gather the OSS licenses of dependencies.
- Build artifacts with immutability in mind. Use distroless base images as lightweight alternatives with significantly lower threat surface.
- Scan images published to an artifact repository for CVEs and store the resulting metadata using an image digest.
- Restrict deployments to only those coming from a known list of repositories.
- Codify company governance and compliance policies (policy-as-code). Store these policies independently of application source code.
- Institute a break-glass process that supports speed without giving up security.