Google expands security portfolio with risk and compliance as code and extra fuzzing


Google seems to have noted a growing willingness to think about security early on in the software development process and decided to give its customers some support in the matter. 

The result comes in the form of continuous fuzzing project ClusterFuzzLite and a newly compiled stack of products, templates, and integrations to make sure misconfigurations don’t damage the security posture of Google Cloud users.

Compared to its namesake — the fuzzing infrastructure project ClusterFuzz — open source tool ClusterFuzzLite has been especially developed to run fuzz tests as part of Continuous Integration workflows. By feeding new code additions or whole programs with unexpected or random inputs and checking the results, the approach is meant to help teams “find vulnerabilities faster than ever before”. 

In its current form, ClusterFuzzLite features capabilities to check pull requests as they come in to prevent bugs from making their way into the codebase, batch fuzzing to find deeper hidden issues, and coverage reports to see which parts of the code have been tested. There’s also a download function for crashing test cases, so that those can be investigated further.

ClusterFuzzLite should be able to find bugs in code written in C, C++, Java and JVM languages, Go, Python, Rust and Swift. It promises to be ready for service after adding “just a few lines of code”, and works with GitHub Actions, Google Cloud Build, and Kubernetes-based Prow, though support for other CI systems is said to be in development. 

While undefined behaviour and memory safety issues have been at the core of many vulnerabilities for the last two decades at least, moving functionality or whole applications to the cloud has made teams aware of misconfiguration as another source of security risk. Sensible defaults and a shift towards codified policies and infrastructure can help here, which is why Google Cloud now offers a so-called Risk and Compliance as Code (RCaC) solution.

The package compiles a policy library set mapped to compliance frameworks, blueprints for architectural changes and codification, and products such as the currently in preview Risk Manager, secure and compliant workload helper Assured Workloads, and security management platform Security Command Center. 

While the blueprints can serve as templates to reduce misconfigurations and automate processes, SCC helps to set up a compliance and monitoring environment, which also integrates with other security products to help find drift between wanted and current state more quickly.

Pricing details are available on request only.