Google released Software Delivery Shield this week, adding a new set of capabilities to Google Cloud that ensures developers can focus on writing code while adhering to security policies across the delivery pipeline.
Recent attacks such as Log4j, SolarWinds and Mimecast have cemented the importance of software supply chain security beyond the coding environment. Complicating the matter, however, is the ubiquity of open source and its dependencies, said Thomas DeMeo, director of product management for platform development tools at Google Cloud at this week's Google Cloud Next 2022.
To tackle this issue, a new modular set of capabilities called Software Delivery Shield (SDS) addresses security concerns across five major areas: application development, software supply, CI/CD, production environments and policies.
SDS tools include Cloud Workstations, a fully managed development environment with built-in security measures such as forced image updates; Artifact Registry to manage and secure artifacts; and Cloud Build and Cloud Deploy to help to secure the CI/CD pipeline.
SDS takes risk out of development, said Holger Mueller, an analyst at Constellation Research.
"Nobody likes and wants nighttime or weekend fire drills because some library someone put in years ago broke something," Mueller said. "SolarWinds is a prominent example of that."
Scott Beeker, a self-employed full stack software engineer and conference attendee, said SDS features such as binary authorization, which ensures deployment of only trusted container images, should become the new standard across teams.
Scott BeekerFounder, Self-employed
"The additional added security across the software supply chain, especially when dealing with open source software dependencies across organizations, is a necessity in today's world," he said.
Managing the environment with Cloud Workstations
Cloud Workstations, which is in public preview, adds a managed development environment to the Google Cloud Platform. This gives developers a preconfigured yet customizable cloud environment, DeMeo said.
Cloud Workstations, which manages the developer environment with enforced security measures, is a standout feature of SDS, said Larry Carvalho, a consultant at Robust Cloud LLC.
"Configuring a workstation increases the possibility of any developer bringing their favorite tools but needing to be thoroughly vetted," he said.
While more vetting may not be popular with developers, locking this environment with SDS reduces the likelihood of vulnerabilities at the beginning of a software development lifecycle, Carvalho said
Cloud Workstations comes with support for multiple integrated development environments (IDEs), including JetBrains' IntelliJ Idea, PyCharm and Rider.
SDS will work alongside other Google Cloud services such as Cloud Deploy, a fully managed CD platform, and Cloud Code, a family of IDE plugins. It will also be integrated with Cloud Run, a runtime platform for containerized applications. This means developers can connect to Google Cloud services faster. For example, developers can configure domains with a load balancer or connect to a Redis cache in a single click, DeMeo said.
The result is increased developer productivity. "Serverless platforms like Cloud Run allow developers to focus more on code and less on 'plumbing,'" Constellation Research's Mueller said.
Overall, SDS will be worth using with one caution, said Leonid Ivankin, an Android developer at MTS Group, a mobile telesystems company. Enterprises that adopt the tool lock into Google as a vendor, he said.
"Do not forget that now Google itself controls your development process," he said.
SDS is included in a Google Cloud subscription, the cost of which varies depending on usage. A free tier is available but comes with restrictions such as 120 cloud-build minutes per day.
However, Google's SDS isn't the only option for securing the supply chain. Startups that target multi-cloud environments include Endor Labs, Chainguard and Valence.