Slide 1

Slide 1 text

Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply Chain For Your Java Applications @vitalethomas

Slide 2

Slide 2 text

Systematic • Software Engineer and Cloud Architect. • Author of “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

Slide 3

Slide 3 text

Software Supply Chain @vitalethomas

Slide 4

Slide 4 text

Software Supply Chain The set of everything needed to deliver software to production, including code, dependencies, tools, practices, and people. @vitalethomas

Slide 5

Slide 5 text

@vitalethomas https://www.wired.com/story/log4j-log4shell/ https://arstechnica.com/information-technology/2021/09/travis-ci- fl aw-exposed-secrets-for-thousands-of-open-source-projects/ https://usa.kaspersky.com/blog/uaparser-js-infected-versions/25614/

Slide 6

Slide 6 text

Software Supply Chain Every step has multiple security risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Dependencies Artifacts Deployment @vitalethomas

Slide 7

Slide 7 text

Supply Chain Security Tools are not enough PEOPLE PRACTICES TOOLS @vitalethomas

Slide 8

Slide 8 text

Where to begin? @vitalethomas

Slide 9

Slide 9 text

1. Securing the Source Code @vitalethomas

Slide 10

Slide 10 text

Git Source control Audit trail of every change Can we trust it? Who did this change? @vitalethomas

Slide 11

Slide 11 text

Require signed commits Make the audit trail trustworthy Traditional Git signing with keys (GPG, SSH…) Reject unveri fi ed commits Keyless Git signing with Gitsign @vitalethomas $ git commit -S -m “My changes”

Slide 12

Slide 12 text

Require signed commits Git signing with GPG keys # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Set the GPG signing key ID git config --local user.signingkey @vitalethomas

Slide 13

Slide 13 text

Require signed commits Keyless Git signing with Sigstore Sigstore Gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use Gitsign for signing git config --local gpg.x509.program gitsign # Gitsign expects x509 args git config --local gpg.format x509 @vitalethomas

Slide 14

Slide 14 text

Sigstore Gitsign https://github.com/sigstore/gitsign @vitalethomas

Slide 15

Slide 15 text

Provenance Proved and validated history of a software component across its supply chain. @vitalethomas

Slide 16

Slide 16 text

2. Securing the Dependencies @vitalethomas

Slide 17

Slide 17 text

Dependency Management Java @vitalethomas

Slide 18

Slide 18 text

Dependency Management Java Where are we fetching the dependencies from? How are dependency con fl icts solved? Which dependencies are we fetching? @vitalethomas

Slide 19

Slide 19 text

Locking Dependency Versions Generating a lock fi le with Gradle @vitalethomas $ gradle dependencies —write-locks dependencyLocking { lockAllConfigurations() } build.gradle

Slide 20

Slide 20 text

Locking Dependency Versions Generating a lock fi le with a Maven plugin @vitalethomas $ mvn se.vandmo:dependency-lock-maven-plugin:lock se.vandmo dependency-lock-maven-plugin 1.0 check validate check pom.xml

Slide 21

Slide 21 text

SBOM “A Software Bill of Materials (SBOM) is a nested inventory for software, a list of ingredients that make up software components.” NTIA https://ntia.gov/SBOM @vitalethomas

Slide 22

Slide 22 text

SBOMs Data Exchange Formats @vitalethomas

Slide 23

Slide 23 text

SBOMs What can we use them for? Inventory of all software components Validate the licenses for each component Check for security vulnerabilities @vitalethomas Find outdated components Verify integrity for each component

Slide 24

Slide 24 text

When? @vitalethomas

Slide 25

Slide 25 text

SBOM from an artifact Using Syft Syft https://github.com/anchore/syft syft band-service.jar • Generate a SBOM from a JAR syft ghcr.io/thomasvitale/band-service • Generate a SBOM from an OCI image @vitalethomas

Slide 26

Slide 26 text

SBOM from the source code Using the CycloneDX Generator cdxgen https://cyclonedx.github.io/cdxgen cdxgen -o bom.json • Generate a SBOM from the source code @vitalethomas

Slide 27

Slide 27 text

SBOM as part of the build lifecycle Using the CycloneDX Gradle plugin CycloneDX Gradle Plugin https://github.com/CycloneDX/cyclonedx-gradle-plugin @vitalethomas $ gradle build plugins { id 'org.cyclonedx.bom' version '1.7.4' } tasks.build.finalizedBy 'cyclonedxBom' build.gradle

Slide 28

Slide 28 text

SBOM as part of the build lifecycle Using the CycloneDX Maven plugin @vitalethomas $ mvn package org.cyclonedx cyclonedx-maven-plugin package makeAggregateBom pom.xml CycloneDX Maven Plugin https://github.com/CycloneDX/cyclonedx-maven-plugin

Slide 29

Slide 29 text

Now what? @vitalethomas

Slide 30

Slide 30 text

Vulnerability scanning Scan for security vulnerabilities with Trivy Trivy https://trivy.dev @vitalethomas $ trivy sbom bom.json

Slide 31

Slide 31 text

Managing Supply Chain Risks OWASP Dependency Track Dependency Track https://dependencytrack.org @vitalethomas

Slide 32

Slide 32 text

VEX “Vulnerability Exploitability eXchange (VEX) is a vulnerability document designed to complement a Software Bill of Materials (SBOM) that informs users of a software product about the applicability of one or more vulnerability findings.” OpenVEX http://openvex.dev @vitalethomas

Slide 33

Slide 33 text

3. Securing the Build @vitalethomas

Slide 34

Slide 34 text

Packaging Spring Boot JAR & Container Image JAR OCI Image Gradle bootJar Maven package Gradle bootBuildImage Maven spring-boot:build-image @vitalethomas Native Gradle nativeCompile Maven -Pnative native:compile

Slide 35

Slide 35 text

“Friends don’t let friends write Dockerfiles!” - Josh Long @vitalethomas

Slide 36

Slide 36 text

Dockerfiles “Dockerfiles are easy to write, but the current development guidelines do not produce containers that are repeatable and hardened.” CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security @vitalethomas

Slide 37

Slide 37 text

Image pack build Cloud Native Buildpacks From source code to container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io

Slide 38

Slide 38 text

Image pack build gradle bootBuildImage Cloud Native Buildpacks From source code to container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io

Slide 39

Slide 39 text

Eliminate sources of non-determinism Reproducible builds with Cloud Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = = @vitalethomas

Slide 40

Slide 40 text

4. Securing the Artifacts @vitalethomas

Slide 41

Slide 41 text

Sign every step in the build process Signing artifacts with Sigstore Cosign Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas Sign binaries (JAR, native executable) Sign SBOM Sign OCI image

Slide 42

Slide 42 text

Sign every step in the build process Signing artifacts with Sigstore Cosign cosign sign band-service • Sign container image cosign attach sbom --sbom bom.json band-service • Attach SBOM to container image Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas cosign sign band-service:.sbom • Sign SBOM

Slide 43

Slide 43 text

SLSA @vitalethomas

Slide 44

Slide 44 text

SLSA https://slsa.dev @vitalethomas

Slide 45

Slide 45 text

SLSA https://slsa.dev @vitalethomas

Slide 46

Slide 46 text

Provenance Proved and validated history of a software component across its supply chain. @vitalethomas

Slide 47

Slide 47 text

SLSA Build Supply chain security levels for the build provenance Level 1 The artifact has provenance showing how it was built. Level 2 The build runs on a hosted build platform that generates and signs the provenance itself. SLSA https://slsa.dev Level 3 The build runs on a hardened build platform that offers strong tamper protection (non-falsi fi able provenance). @vitalethomas

Slide 48

Slide 48 text

SLSA GitHub Provenance Generator SLSA Build Level 3 @vitalethomas name: Build on: [push] jobs: build: ... provenance: needs: [build] permissions: actions: read id-token: write packages: write uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] with: image: ${{ image-name }} digest: ${{ image-digest }} registry-username: ${{ registry-username }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} SLSA GitHub Generator https://github.com/slsa-framework/slsa-github-generator

Slide 49

Slide 49 text

in-toto https://in-toto.io @vitalethomas

Slide 50

Slide 50 text

5. Securing the Deployment @vitalethomas

Slide 51

Slide 51 text

Validating artifacts metadata Secure deployments @vitalethomas Verify signatures Verify vulnerability report Verify SLSA provenance

Slide 52

Slide 52 text

Validating artifacts metadata Verify signatures with Sigstore Cosign Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas $ cosign verify \ --certificate-identity-regexp \ https://github.com/ThomasVitale \ --certificate-oidc-issuer \ https://token.actions.githubusercontent.com \ ghcr.io/thomasvitale/band-service | jq

Slide 53

Slide 53 text

Validating artifacts metadata Verify provenance with SLSA Veri fi er SLSA Veri fi er https://github.com/slsa-framework/slsa-veri fi er $ slsa-verifier verify-image \ ghcr.io/thomasvitale/band-service: \ —source-uri github.com/ThomasVitale/band-service

Slide 54

Slide 54 text

Perform verification of artifacts Verifying signatures and provenance with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io @vitalethomas

Slide 55

Slide 55 text

Resources @vitalethomas

Slide 56

Slide 56 text

Resources Software supply chain security • Presentation source code • How to create SBOMs in Java with Maven and Gradle • SnakeYaml 2.0: Solving the unsafe deserialization vulnerability • What Are Cloud Native Buildpacks and How Do They Work? • OWASP Dependency Track and CycloneDX SBOM Standard • Chainguard Academy @vitalethomas

Slide 57

Slide 57 text

Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply Chain For Your Java Applications @vitalethomas