Securing the Supply Chain for Your Java Applications

Transcript

1. Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply

   Chain For Your Java Applications @vitalethomas

2. Systematic • Software Engineer and Cloud Architect. • Author of

   “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

3. Software Supply Chain @vitalethomas

4. Software Supply Chain The set of everything needed to deliver

   software to production, including code, dependencies, tools, practices, and people. @vitalethomas

5. @vitalethomas https://www.wired.com/story/log4j-log4shell/ https://arstechnica.com/information-technology/2021/09/travis-ci- fl aw-exposed-secrets-for-thousands-of-open-source-projects/ https://usa.kaspersky.com/blog/uaparser-js-infected-versions/25614/

6. Software Supply Chain Every step has multiple security risks and

   impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Dependencies Artifacts Deployment @vitalethomas

7. Supply Chain Security Tools are not enough PEOPLE PRACTICES TOOLS

   @vitalethomas

8. Where to begin? @vitalethomas

9. 1. Securing the Source Code @vitalethomas

10. Git Source control Audit trail of every change Can we

    trust it? Who did this change? @vitalethomas

11. Require signed commits Make the audit trail trustworthy Traditional Git

    signing with keys (GPG, SSH…) Reject unveri fi ed commits Keyless Git signing with Gitsign @vitalethomas $ git commit -S -m “My changes”

12. Require signed commits Git signing with GPG keys # Sign

    all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Set the GPG signing key ID git config --local user.signingkey <key-id> @vitalethomas

13. Require signed commits Keyless Git signing with Sigstore Sigstore Gitsign

    https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use Gitsign for signing git config --local gpg.x509.program gitsign # Gitsign expects x509 args git config --local gpg.format x509 @vitalethomas

14. Sigstore Gitsign https://github.com/sigstore/gitsign @vitalethomas

15. Provenance Proved and validated history of a software component across

    its supply chain. @vitalethomas

16. 2. Securing the Dependencies @vitalethomas

17. Dependency Management Java @vitalethomas

18. Dependency Management Java Where are we fetching the dependencies from?

    How are dependency con fl icts solved? Which dependencies are we fetching? @vitalethomas

19. Locking Dependency Versions Generating a lock fi le with Gradle

    @vitalethomas $ gradle dependencies —write-locks dependencyLocking { lockAllConfigurations() } build.gradle

20. Locking Dependency Versions Generating a lock fi le with a

    Maven plugin @vitalethomas $ mvn se.vandmo:dependency-lock-maven-plugin:lock <build> <plugins> <plugin> <groupId>se.vandmo</groupId> <artifactId>dependency-lock-maven-plugin</artifactId> <version>1.0</version> <executions> <execution> <id>check</id> <phase>validate</phase> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin> </plugins> </build> pom.xml

21. SBOM “A Software Bill of Materials (SBOM) is a nested

    inventory for software, a list of ingredients that make up software components.” NTIA https://ntia.gov/SBOM @vitalethomas

22. SBOMs Data Exchange Formats @vitalethomas

23. SBOMs What can we use them for? Inventory of all

    software components Validate the licenses for each component Check for security vulnerabilities @vitalethomas Find outdated components Verify integrity for each component

24. When? @vitalethomas

25. SBOM from an artifact Using Syft Syft https://github.com/anchore/syft syft band-service.jar

    • Generate a SBOM from a JAR syft ghcr.io/thomasvitale/band-service • Generate a SBOM from an OCI image @vitalethomas

26. SBOM from the source code Using the CycloneDX Generator cdxgen

    https://cyclonedx.github.io/cdxgen cdxgen -o bom.json • Generate a SBOM from the source code @vitalethomas

27. SBOM as part of the build lifecycle Using the CycloneDX

    Gradle plugin CycloneDX Gradle Plugin https://github.com/CycloneDX/cyclonedx-gradle-plugin @vitalethomas $ gradle build plugins { id 'org.cyclonedx.bom' version '1.7.4' } tasks.build.finalizedBy 'cyclonedxBom' build.gradle

28. SBOM as part of the build lifecycle Using the CycloneDX

    Maven plugin @vitalethomas $ mvn package <plugins> <plugin> <groupId>org.cyclonedx</groupId> <artifactId>cyclonedx-maven-plugin</artifactId> <executions> <execution> <phase>package</phase> <goals> <goal>makeAggregateBom</goal> </goals> </execution> </executions> </plugin> </plugins> pom.xml CycloneDX Maven Plugin https://github.com/CycloneDX/cyclonedx-maven-plugin

29. Now what? @vitalethomas

30. Vulnerability scanning Scan for security vulnerabilities with Trivy Trivy https://trivy.dev

    @vitalethomas $ trivy sbom bom.json

31. Managing Supply Chain Risks OWASP Dependency Track Dependency Track https://dependencytrack.org

    @vitalethomas

32. VEX “Vulnerability Exploitability eXchange (VEX) is a vulnerability document designed

    to complement a Software Bill of Materials (SBOM) that informs users of a software product about the applicability of one or more vulnerability findings.” OpenVEX http://openvex.dev @vitalethomas

33. 3. Securing the Build @vitalethomas

34. Packaging Spring Boot JAR & Container Image JAR OCI Image

    Gradle bootJar Maven package Gradle bootBuildImage Maven spring-boot:build-image @vitalethomas Native Gradle nativeCompile Maven -Pnative native:compile

35. “Friends don’t let friends write Dockerfiles!” - Josh Long @vitalethomas

36. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security @vitalethomas

37. Image pack build Cloud Native Buildpacks From source code to

    container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io

38. Image pack build gradle bootBuildImage Cloud Native Buildpacks From source

    code to container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io

39. Eliminate sources of non-determinism Reproducible builds with Cloud Native Buildpacks

    Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = = @vitalethomas

40. 4. Securing the Artifacts @vitalethomas

41. Sign every step in the build process Signing artifacts with

    Sigstore Cosign Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas Sign binaries (JAR, native executable) Sign SBOM Sign OCI image

42. Sign every step in the build process Signing artifacts with

    Sigstore Cosign cosign sign band-service • Sign container image cosign attach sbom --sbom bom.json band-service • Attach SBOM to container image Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas cosign sign band-service:<digest>.sbom • Sign SBOM

43. SLSA @vitalethomas

44. SLSA https://slsa.dev @vitalethomas

45. SLSA https://slsa.dev @vitalethomas

46. Provenance Proved and validated history of a software component across

    its supply chain. @vitalethomas

47. SLSA Build Supply chain security levels for the build provenance

    Level 1 The artifact has provenance showing how it was built. Level 2 The build runs on a hosted build platform that generates and signs the provenance itself. SLSA https://slsa.dev Level 3 The build runs on a hardened build platform that offers strong tamper protection (non-falsi fi able provenance). @vitalethomas

48. SLSA GitHub Provenance Generator SLSA Build Level 3 @vitalethomas name:

    Build on: [push] jobs: build: ... provenance: needs: [build] permissions: actions: read id-token: write packages: write uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] with: image: ${{ image-name }} digest: ${{ image-digest }} registry-username: ${{ registry-username }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} SLSA GitHub Generator https://github.com/slsa-framework/slsa-github-generator

49. in-toto https://in-toto.io @vitalethomas

50. 5. Securing the Deployment @vitalethomas

51. Validating artifacts metadata Secure deployments @vitalethomas Verify signatures Verify vulnerability

    report Verify SLSA provenance

52. Validating artifacts metadata Verify signatures with Sigstore Cosign Sigstore Cosign

    https://github.com/sigstore/cosign @vitalethomas $ cosign verify \ --certificate-identity-regexp \ https://github.com/ThomasVitale \ --certificate-oidc-issuer \ https://token.actions.githubusercontent.com \ ghcr.io/thomasvitale/band-service | jq

53. Validating artifacts metadata Verify provenance with SLSA Veri fi er

    SLSA Veri fi er https://github.com/slsa-framework/slsa-veri fi er $ slsa-verifier verify-image \ ghcr.io/thomasvitale/band-service:<digest> \ —source-uri github.com/ThomasVitale/band-service

54. Perform verification of artifacts Verifying signatures and provenance with Kyverno

    • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io @vitalethomas

55. Resources @vitalethomas

56. Resources Software supply chain security • Presentation source code •

    How to create SBOMs in Java with Maven and Gradle • SnakeYaml 2.0: Solving the unsafe deserialization vulnerability • What Are Cloud Native Buildpacks and How Do They Work? • OWASP Dependency Track and CycloneDX SBOM Standard • Chainguard Academy @vitalethomas

57. Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply

    Chain For Your Java Applications @vitalethomas