Thomas Vitale
Devoxx Ukraine
Sep 2nd, 2022
Supply Chain Security
For Cloud Native Java
@vitalethomas
Slide 2
Slide 2 text
Systematic
• Software Architect at
Systematic, Denmark.
• Author of “Cloud Native Spring
in Action” (Manning).
• OSS Contributor.
Thomas Vitale
thomasvitale.com @vitalethomas
Slide 3
Slide 3 text
Software Supply Chain
#devoxxUA @vitalethomas
Slide 4
Slide 4 text
Software Supply Chain
The set of everything needed to deliver software to
production, including code, dependencies, tools,
practices, and people.
#devoxxUA @vitalethomas
Slide 5
Slide 5 text
#devoxxUA @vitalethomas
Software Supply Chain
Every step has multiple security risks and impacts
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
Source Code Build
Materials
Artefacts Deployment
Slide 6
Slide 6 text
Supply Chain Security
Tools are not enough
ORGANIZATION
PRACTICES
TOOLS
#devoxxUA @vitalethomas
Slide 7
Slide 7 text
Where to begin?
#devoxxUA @vitalethomas
Slide 8
Slide 8 text
Containerization
#devoxxUA @vitalethomas
Slide 9
Slide 9 text
Dockerfiles
“Dockerfiles are easy to write, but the current
development guidelines do not produce
containers that are repeatable and hardened.”
#devoxxUA @vitalethomas
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
Slide 10
Slide 10 text
Cloud Native Buildpacks
#devoxxUA @vitalethomas
Slide 11
Slide 11 text
buildpacks.io
#devoxxUA @vitalethomas
Slide 12
Slide 12 text
Image
pack build
Cloud Native Buildpacks
From source code to container image
#devoxxUA @vitalethomas
Cloud Native Buildpacks
https://buildpacks.io
Slide 13
Slide 13 text
Cloud Native Buildpacks
From source code to container image
Separation of
concerns
Security and
compliance
Maintainability
Advanced caching
Multi-language and
multi-platform
Reusability
#devoxxUA @vitalethomas
Cloud Native Buildpacks
https://buildpacks.io
Slide 14
Slide 14 text
paketo.io
#devoxxUA @vitalethomas
Slide 15
Slide 15 text
#devoxxUA @vitalethomas
Software Supply Chain
Every step has multiple security risks and impacts
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
Source Code Build
Materials
Artefacts Deployment
Slide 16
Slide 16 text
Securing a software supply chain
1 Securing the Source Code
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
2 Securing the Materials
3 Securing the Build Pipelines
4 Securing the Artefacts
5 Securing Deployments
#devoxxUA @vitalethomas
Slide 17
Slide 17 text
1. Securing the Source Code
#devoxxUA @vitalethomas
Slide 18
Slide 18 text
#devoxxUA @vitalethomas
Require signed commits
Keyless Git signing with Sigstore
Sigstore gitsign
https://github.com/sigstore/gitsign
# Sign all commits
git config --local commit.gpgsign true
# Sign all tags
git config --local tag.gpgsign true
# Use gitsign for signing
git config --local gpg.x509.program gitsign
# gitsign expects x509 args
git config --local gpg.format x509
#devoxxUA @vitalethomas
Generate an immutable SBOM
Software Bills of Materials with Syft
Syft
https://github.com/anchore/syft
syft band-service
• Generate a SBOM from a pre-built image
pack sbom download band-service
• Extract SBOMs generated at build-time with Buildpacks
3. Securing the Build Pipelines
#devoxxUA @vitalethomas
Slide 29
Slide 29 text
#devoxxUA @vitalethomas
Eliminate sources of non-determinism
Reproducible builds with Cloud Native Buildpacks
Cloud Native Buildpacks
https://buildpacks.io
Image
pack build
Image
pack build
Time
=
=
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
SLSA Framework
#devoxxUA @vitalethomas
Slide 32
Slide 32 text
#devoxxUA @vitalethomas
SLSA
https://slsa.dev
Slide 33
Slide 33 text
SLSA
https://slsa.dev
#devoxxUA @vitalethomas
Slide 34
Slide 34 text
SLSA Level 1
Documentation of the build process
#devoxxUA @vitalethomas
Build ❖ All build steps de
fi
ned in a script
Provenance ❖ Provenance data available to the consumer
SLSA
https://slsa.dev
#devoxxUA @vitalethomas
Sign every step in the build process
Signing artefacts with Sigstore cosign
cosign sign band-service
• Sign container image
cosign attest \
-—predicate predicate.att \
--type slsaprovenance \
band-service
• Sign provenance and add attestation to image
Sigstore cosign
https://github.com/sigstore/cosign
Slide 38
Slide 38 text
SLSA Level 2
Tamper resistance of the build service
#devoxxUA @vitalethomas
Source
❖ Every change to the source is tracked in a version
control system
Build
❖ All build steps ran using some build service, not on a
developer’s workstation
SLSA
https://slsa.dev
Provenance
❖ Data in the provenance obtained from build service
❖ The provenance’s authenticity and integrity can be
veri
fi
ed by the consumer.
Slide 39
Slide 39 text
5. Securing Deployment
#devoxxUA @vitalethomas
Slide 40
Slide 40 text
#devoxxUA @vitalethomas
Perform verification of artefacts
Verifying signatures and provenance with Kyverno
• Keyless veri
fi
cation of image signature
• If missing compliance, the deployment is blocked
• Keyless veri
fi
cation of the SLSA provenance metadata
• If missing compliance, the deployment is blocked.
Kyverno
https://kyverno.io