Slide 1

Slide 1 text

Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security For Cloud Native Java @vitalethomas

Slide 2

Slide 2 text

Systematic • Software Architect at Systematic, Denmark. • Author of “Cloud Native Spring in Action” (Manning). • OSS Contributor. Thomas Vitale thomasvitale.com @vitalethomas

Slide 3

Slide 3 text

Software Supply Chain #devoxxUA @vitalethomas

Slide 4

Slide 4 text

Software Supply Chain The set of everything needed to deliver software to production, including code, dependencies, tools, practices, and people. #devoxxUA @vitalethomas

Slide 5

Slide 5 text

#devoxxUA @vitalethomas Software Supply Chain Every step has multiple security risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

Slide 6

Slide 6 text

Supply Chain Security Tools are not enough ORGANIZATION PRACTICES TOOLS #devoxxUA @vitalethomas

Slide 7

Slide 7 text

Where to begin? #devoxxUA @vitalethomas

Slide 8

Slide 8 text

Containerization #devoxxUA @vitalethomas

Slide 9

Slide 9 text

Dockerfiles “Dockerfiles are easy to write, but the current development guidelines do not produce containers that are repeatable and hardened.” #devoxxUA @vitalethomas CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security

Slide 10

Slide 10 text

Cloud Native Buildpacks #devoxxUA @vitalethomas

Slide 11

Slide 11 text

buildpacks.io #devoxxUA @vitalethomas

Slide 12

Slide 12 text

Image pack build Cloud Native Buildpacks From source code to container image #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

Slide 13

Slide 13 text

Cloud Native Buildpacks From source code to container image Separation of concerns Security and compliance Maintainability Advanced caching Multi-language and multi-platform Reusability #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

Slide 14

Slide 14 text

paketo.io #devoxxUA @vitalethomas

Slide 15

Slide 15 text

#devoxxUA @vitalethomas Software Supply Chain Every step has multiple security risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

Slide 16

Slide 16 text

Securing a software supply chain 1 Securing the Source Code CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security 2 Securing the Materials 3 Securing the Build Pipelines 4 Securing the Artefacts 5 Securing Deployments #devoxxUA @vitalethomas

Slide 17

Slide 17 text

1. Securing the Source Code #devoxxUA @vitalethomas

Slide 18

Slide 18 text

#devoxxUA @vitalethomas Require signed commits Keyless Git signing with Sigstore Sigstore gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use gitsign for signing git config --local gpg.x509.program gitsign # gitsign expects x509 args git config --local gpg.format x509

Slide 19

Slide 19 text

#devoxxUA @vitalethomas Sigstore gitsign https://github.com/sigstore/gitsign

Slide 20

Slide 20 text

2. Securing the Materials #devoxxUA @vitalethomas

Slide 21

Slide 21 text

#devoxxUA @vitalethomas Generate an immutable SBOM Software Bills of Materials with Syft Syft https://github.com/anchore/syft syft band-service • Generate a SBOM from a pre-built image pack sbom download band-service • Extract SBOMs generated at build-time with Buildpacks

Slide 22

Slide 22 text

#devoxxUA @vitalethomas Scan software for vulnerabilities Vulnerability scanning with Grype Grype https://github.com/anchore/grype grype ./repos/band-service • Scan source code grype band-service • Scan container image

Slide 23

Slide 23 text

#devoxxUA @vitalethomas

Slide 24

Slide 24 text

#devoxxUA @vitalethomas

Slide 25

Slide 25 text

#devoxxUA @vitalethomas

Slide 26

Slide 26 text

#devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

Slide 27

Slide 27 text

#devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

Slide 28

Slide 28 text

3. Securing the Build Pipelines #devoxxUA @vitalethomas

Slide 29

Slide 29 text

#devoxxUA @vitalethomas Eliminate sources of non-determinism Reproducible builds with Cloud Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = =

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

SLSA Framework #devoxxUA @vitalethomas

Slide 32

Slide 32 text

#devoxxUA @vitalethomas SLSA https://slsa.dev

Slide 33

Slide 33 text

SLSA https://slsa.dev #devoxxUA @vitalethomas

Slide 34

Slide 34 text

SLSA Level 1 Documentation of the build process #devoxxUA @vitalethomas Build ❖ All build steps de fi ned in a script Provenance ❖ Provenance data available to the consumer SLSA https://slsa.dev

Slide 35

Slide 35 text

#devoxxUA @vitalethomas in-toto https://in-toto.io

Slide 36

Slide 36 text

4. Securing the Artefacts #devoxxUA @vitalethomas

Slide 37

Slide 37 text

#devoxxUA @vitalethomas Sign every step in the build process Signing artefacts with Sigstore cosign cosign sign band-service • Sign container image cosign attest \ -—predicate predicate.att \ --type slsaprovenance \ band-service • Sign provenance and add attestation to image Sigstore cosign https://github.com/sigstore/cosign

Slide 38

Slide 38 text

SLSA Level 2 Tamper resistance of the build service #devoxxUA @vitalethomas Source ❖ Every change to the source is tracked in a version control system Build ❖ All build steps ran using some build service, not on a developer’s workstation SLSA https://slsa.dev Provenance ❖ Data in the provenance obtained from build service ❖ The provenance’s authenticity and integrity can be veri fi ed by the consumer.

Slide 39

Slide 39 text

5. Securing Deployment #devoxxUA @vitalethomas

Slide 40

Slide 40 text

#devoxxUA @vitalethomas Perform verification of artefacts Verifying signatures and provenance with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io

Slide 41

Slide 41 text

Cartographer #devoxxUA @vitalethomas

Slide 42

Slide 42 text

#devoxxUA @vitalethomas Cartographer https://cartographer.sh

Slide 43

Slide 43 text

Minimal Supply Chain Source -> Image -> URL Deploy to Kubernetes Package as container image Checkout source code

Slide 44

Slide 44 text

Resources #devoxxUA @vitalethomas

Slide 45

Slide 45 text

https://github.com/ThomasVitale/awesome-spring

Slide 46

Slide 46 text

Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security For Cloud Native Java @vitalethomas Source code: https://github.com/ThomasVitale/band-service