To support the launch of Binary Authorization, we’re releasing Black Duck for Google Cloud Build to help ensure your images are free of policy violations.
The software of today is not the software of 20 or 30 years ago. New programming languages and frameworks, open source and proprietary code, and new methods of software delivery have changed the way software is developed, deployed, and made accessible to end users. To keep up with the pace of innovation, development teams must ensure engineers have the tools they need to succeed and the knowledge to use them. At the same time, any tools brought into the workflow must provide value without slowing down innovation. With over 30 years in the application security testing space, Synopsys is equipped to help you embrace new tools, integrate them into existing workflows, and take advantage of the most recent innovations. (Already interested? Click here to have a Synopsys team member contact you.)
By now you’ve probably heard of continuous integration and continuous delivery, or CI/CD. The adoption of CI/CD, as well as agile methodologies surrounding it, has been a huge driver of change in the way software is built and released. As the era of waterfall ends, companies are realizing that building fast and releasing often is crucial to identifying which innovations will stick and which are better forgotten. Other new technologies, such as the service mesh and serverless programming, further allow teams to implement, test, and roll back features, usually without the end user being aware that a change has taken place. The result: faster and more impactful release cycles.
These release cycles, while they have greatly accelerated innovation, are not without risk. Consider the case of a company practicing continuous deployment, a step beyond continuous delivery where code is deployed straight to production. How can teams ensure the code they produce is of good quality, secure, and thoroughly tested before being served to users?
Many organizations turn to vendors like Synopsys to help reduce this risk. Synopsys provides a portfolio of tools, including SAST, SCA, and IAST, that can be integrated into CI/CD release pipelines to harden applications as much as possible before they get deployed. Integrated testing is part of yet another new trend in security, called shifting left.
Simply implementing security scanning, though, is not always the answer. Without proper enforcement and gating mechanisms, faulty code can still be pushed to production.
You always want to ensure that the software you deliver complies with your standards and policies. Enter Binary Authorization. Binary Authorization, an implementation of the Grafeas metadata store, allows third-party tooling, like that provided by Synopsys, to “attest” to the state of a container image published to Google Container Registry before it can be deployed to Google Kubernetes Engine. The concept is simple: If an image doesn’t have all the necessary attestations at deploy time, the deployment of that image is blocked. Want to learn more about Binary Authorization? Check out the docs!
With the GA launch of Binary Authorization, we’re announcing our support with Black Duck for Google Cloud Build. As part of your Cloud Build pipelines, this custom build step makes it easy to invoke the Black Duck scan. After Black Duck processing, images can be attested as being free of policy violations.
Users of Black Duck have many options when it comes to configuring policies. Whether you want to block unauthorized licenses, ban certain open source components, or flag components with more than one high-severity vulnerability, you can create policies that are digital representations of the business rules that surround your software release practices.
If you’re interested in using Black Duck’s policy engine together with Google’s Binary Authorization workflow, check out the steps to attest an image based on a Black Duck scan.
Not using Google Cloud Build? Perhaps you’re using Jenkins or TeamCity? No problem! As long as you’re using Google Container Registry and GKE, you can use Binary Authorization. The steps to get Black Duck attestations are different and use the Kritis Signer.
Interested in seeing a prototype version of signing images with Kritis? Let us know!
Tomas Gonzalez is an alliance solutions engineer at Synopsys Software Integrity Group.