Protect your software supply chain

This documentation focuses primarily on best practices that support protecting your software across processes and systems in your software supply chain. It also includes information about how to implement some of the practices on Google Cloud.

There are additional considerations for protecting your software that span the software lifecycle or are foundational development practices that support software supply chain security. For example:

  • Controlling physical and remote access to systems.
  • Implementing audit, monitoring, and feedback mechanisms so that you are able to quickly identify and respond to threats and non-compliance with policy.
  • Foundational coding practices including design, input validation, output to untrusted systems, data processing, code analysis, and cryptography.
  • Foundational DevOps practices beyond ones mentioned in this documentation, including technical approaches, team process, and organizational culture.

  • Adherence to software licenses terms, including open source licenses for direct and transitive dependencies.

    Some open source licenses have restrictive license terms that are problematic for commercial software. In particular, some licenses require you to release your source code under the same license as the open source software that you are reusing. If you want to keep your source code private, it's important to know the licenses terms of open source software you use.

  • Increasing awareness about cybersecurity by providing training to employees. According the State of Cybersecurity 2021, Part 2, a survey of information security professionals, social engineering was the most frequent type of attack. Survey respondants also reported that cybersecurity training and awareness programs had some positive impact (46%) or strong positive impact (32%) on employee awareness.

Use the resources in the following sections to learn more about these topics.

Security on Google Cloud

Learn about setting up organization structure, authentication and authorization, resource hierarchy, networking, logging, detective controls, and more in the Google Cloud enterprise foundations blueprint, one of the guides in the Google Cloud security best practices center.

You can view centralized information about vulnerabilities and possible risks using these Google Cloud services:

  • View information about vulnerabilities and threats across your Google Cloud organization with Security Command Center.
  • Get information about your service usage with Recommender, including recommendations that can help you to reduce risk. For example, you can identify IAM principals with excess permissions or unattended Google Cloud projects.

To learn more about security on Google Cloud, see the Security section of the Google Cloud web site.

DevOps and software development practices

See the DevOps capabilities documentation to learn more about DevOps practices that contribute to faster software delivery and more reliable and secure software.

There are also foundational practices for designing, developing, and testing code that apply to all programming languages. You also need to evaluate how you distribute software and the terms of software licenses in all of your dependencies. The Linux Foundation offers free online training on these topics:

Developing your policies

As you incrementally implement best practices, document the policies for your organization and incorporate validation of policies into your development, build, and deployment processes. For example, your company policies might include criteria for deployment that you implement with Binary Authorization.