Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022
Technology
0
350

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
0
54
Developer Experience on Kubernetes
thomasvitale
1
96
Unlocking New Platform Experiences With Open Interfaces
thomasvitale
0
79
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
1
260
Dapr and Spring Boot - Solving the Challenges of Distributed Systems
thomasvitale
1
140
Securing the Supply Chain for Your Java Applications
thomasvitale
0
170
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
380
Supercharge your Kubernetes Platform with Carvel
thomasvitale
0
49
Multitenant Mystery: Every Bean Has a Secret
thomasvitale
1
260

Other Decks in Technology

See All in Technology
一休.comレストランにおけるRustの活用
kymmt90
3
640
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
250
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
18
4.2k
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
150
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
2
750
20241108_CS_LLMMT
shigashiyama
0
120
End of Barrel Files: New Modularization Techniques with Sheriff
rainerhahnekamp
0
210
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
신뢰할 수 있는 AI 검색 엔진을 만들기 위한 Liner의 여정
huffon
0
450
家具家電付アパートの冷蔵庫をIoT化してみた!
scbc1167
0
140
マルチモーダルRAGやってみた
tanimon
0
110

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
334
57k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Writing Fast Ruby
sferik
626
61k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
How to Ace a Technical Interview
jacobian
275
23k
It's Worth the Effort
3n
183
27k
Optimizing for Happiness
mojombo
376
69k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
108
49k
Producing Creativity
orderedlist
PRO
341
39k
Rails Girls Zürich Keynote
gr2m
93
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k

Transcript

  1. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas

  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS Contributor. Thomas Vitale thomasvitale.com @vitalethomas

  3. Software Supply Chain #devoxxUA @vitalethomas

  4. Software Supply Chain The set of everything needed to deliver

    software to production, including code, dependencies, tools, practices, and people. #devoxxUA @vitalethomas

  5. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  6. Supply Chain Security Tools are not enough ORGANIZATION PRACTICES TOOLS

    #devoxxUA @vitalethomas

  7. Where to begin? #devoxxUA @vitalethomas

  8. Containerization #devoxxUA @vitalethomas

  9. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” #devoxxUA @vitalethomas CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security

  10. Cloud Native Buildpacks #devoxxUA @vitalethomas

  11. buildpacks.io #devoxxUA @vitalethomas

  12. Image pack build Cloud Native Buildpacks From source code to

    container image #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  13. Cloud Native Buildpacks From source code to container image Separation

    of concerns Security and compliance Maintainability Advanced caching Multi-language and multi-platform Reusability #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  14. paketo.io #devoxxUA @vitalethomas

  15. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  16. Securing a software supply chain 1 Securing the Source Code

    CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security 2 Securing the Materials 3 Securing the Build Pipelines 4 Securing the Artefacts 5 Securing Deployments #devoxxUA @vitalethomas

  17. 1. Securing the Source Code #devoxxUA @vitalethomas

  18. #devoxxUA @vitalethomas Require signed commits Keyless Git signing with Sigstore

    Sigstore gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use gitsign for signing git config --local gpg.x509.program gitsign # gitsign expects x509 args git config --local gpg.format x509

  19. #devoxxUA @vitalethomas Sigstore gitsign https://github.com/sigstore/gitsign

  20. 2. Securing the Materials #devoxxUA @vitalethomas

  21. #devoxxUA @vitalethomas Generate an immutable SBOM Software Bills of Materials

    with Syft Syft https://github.com/anchore/syft syft band-service • Generate a SBOM from a pre-built image pack sbom download band-service • Extract SBOMs generated at build-time with Buildpacks

  22. #devoxxUA @vitalethomas Scan software for vulnerabilities Vulnerability scanning with Grype

    Grype https://github.com/anchore/grype grype ./repos/band-service • Scan source code grype band-service • Scan container image

  23. #devoxxUA @vitalethomas

  24. #devoxxUA @vitalethomas

  25. #devoxxUA @vitalethomas

  26. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  27. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  28. 3. Securing the Build Pipelines #devoxxUA @vitalethomas

  29. #devoxxUA @vitalethomas Eliminate sources of non-determinism Reproducible builds with Cloud

    Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = =
  30. None

  31. SLSA Framework #devoxxUA @vitalethomas

  32. #devoxxUA @vitalethomas SLSA https://slsa.dev

  33. SLSA https://slsa.dev #devoxxUA @vitalethomas

  34. SLSA Level 1 Documentation of the build process #devoxxUA @vitalethomas

    Build ❖ All build steps de fi ned in a script Provenance ❖ Provenance data available to the consumer SLSA https://slsa.dev

  35. #devoxxUA @vitalethomas in-toto https://in-toto.io

  36. 4. Securing the Artefacts #devoxxUA @vitalethomas

  37. #devoxxUA @vitalethomas Sign every step in the build process Signing

    artefacts with Sigstore cosign cosign sign band-service • Sign container image cosign attest \ -—predicate predicate.att \ --type slsaprovenance \ band-service • Sign provenance and add attestation to image Sigstore cosign https://github.com/sigstore/cosign

  38. SLSA Level 2 Tamper resistance of the build service #devoxxUA

    @vitalethomas Source ❖ Every change to the source is tracked in a version control system Build ❖ All build steps ran using some build service, not on a developer’s workstation SLSA https://slsa.dev Provenance ❖ Data in the provenance obtained from build service ❖ The provenance’s authenticity and integrity can be veri fi ed by the consumer.

  39. 5. Securing Deployment #devoxxUA @vitalethomas

  40. #devoxxUA @vitalethomas Perform verification of artefacts Verifying signatures and provenance

    with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io

  41. Cartographer #devoxxUA @vitalethomas

  42. #devoxxUA @vitalethomas Cartographer https://cartographer.sh

  43. Minimal Supply Chain Source -> Image -> URL Deploy to

    Kubernetes Package as container image Checkout source code

  44. Resources #devoxxUA @vitalethomas

  45. https://github.com/ThomasVitale/awesome-spring

  46. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas Source code: https://github.com/ThomasVitale/band-service