Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas
  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS Contributor. Thomas Vitale thomasvitale.com @vitalethomas
  3. Software Supply Chain #devoxxUA @vitalethomas

  4. Software Supply Chain The set of everything needed to deliver

    software to production, including code, dependencies, tools, practices, and people. #devoxxUA @vitalethomas
  5. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment
  6. Supply Chain Security Tools are not enough ORGANIZATION PRACTICES TOOLS

    #devoxxUA @vitalethomas
  7. Where to begin? #devoxxUA @vitalethomas

  8. Containerization #devoxxUA @vitalethomas

  9. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” #devoxxUA @vitalethomas CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security
  10. Cloud Native Buildpacks #devoxxUA @vitalethomas

  11. buildpacks.io #devoxxUA @vitalethomas

  12. Image pack build Cloud Native Buildpacks From source code to

    container image #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io
  13. Cloud Native Buildpacks From source code to container image Separation

    of concerns Security and compliance Maintainability Advanced caching Multi-language and multi-platform Reusability #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io
  14. paketo.io #devoxxUA @vitalethomas

  15. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment
  16. Securing a software supply chain 1 Securing the Source Code

    CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security 2 Securing the Materials 3 Securing the Build Pipelines 4 Securing the Artefacts 5 Securing Deployments #devoxxUA @vitalethomas
  17. 1. Securing the Source Code #devoxxUA @vitalethomas

  18. #devoxxUA @vitalethomas Require signed commits Keyless Git signing with Sigstore

    Sigstore gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use gitsign for signing git config --local gpg.x509.program gitsign # gitsign expects x509 args git config --local gpg.format x509
  19. #devoxxUA @vitalethomas Sigstore gitsign https://github.com/sigstore/gitsign

  20. 2. Securing the Materials #devoxxUA @vitalethomas

  21. #devoxxUA @vitalethomas Generate an immutable SBOM Software Bills of Materials

    with Syft Syft https://github.com/anchore/syft syft band-service • Generate a SBOM from a pre-built image pack sbom download band-service • Extract SBOMs generated at build-time with Buildpacks
  22. #devoxxUA @vitalethomas Scan software for vulnerabilities Vulnerability scanning with Grype

    Grype https://github.com/anchore/grype grype ./repos/band-service • Scan source code grype band-service • Scan container image
  23. #devoxxUA @vitalethomas

  24. #devoxxUA @vitalethomas

  25. #devoxxUA @vitalethomas

  26. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  27. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  28. 3. Securing the Build Pipelines #devoxxUA @vitalethomas

  29. #devoxxUA @vitalethomas Eliminate sources of non-determinism Reproducible builds with Cloud

    Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = =
  30. None
  31. SLSA Framework #devoxxUA @vitalethomas

  32. #devoxxUA @vitalethomas SLSA https://slsa.dev

  33. SLSA https://slsa.dev #devoxxUA @vitalethomas

  34. SLSA Level 1 Documentation of the build process #devoxxUA @vitalethomas

    Build ❖ All build steps de fi ned in a script Provenance ❖ Provenance data available to the consumer SLSA https://slsa.dev
  35. #devoxxUA @vitalethomas in-toto https://in-toto.io

  36. 4. Securing the Artefacts #devoxxUA @vitalethomas

  37. #devoxxUA @vitalethomas Sign every step in the build process Signing

    artefacts with Sigstore cosign cosign sign band-service • Sign container image cosign attest \ -—predicate predicate.att \ --type slsaprovenance \ band-service • Sign provenance and add attestation to image Sigstore cosign https://github.com/sigstore/cosign
  38. SLSA Level 2 Tamper resistance of the build service #devoxxUA

    @vitalethomas Source ❖ Every change to the source is tracked in a version control system Build ❖ All build steps ran using some build service, not on a developer’s workstation SLSA https://slsa.dev Provenance ❖ Data in the provenance obtained from build service ❖ The provenance’s authenticity and integrity can be veri fi ed by the consumer.
  39. 5. Securing Deployment #devoxxUA @vitalethomas

  40. #devoxxUA @vitalethomas Perform verification of artefacts Verifying signatures and provenance

    with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io
  41. Cartographer #devoxxUA @vitalethomas

  42. #devoxxUA @vitalethomas Cartographer https://cartographer.sh

  43. Minimal Supply Chain Source -> Image -> URL Deploy to

    Kubernetes Package as container image Checkout source code
  44. Resources #devoxxUA @vitalethomas

  45. https://github.com/ThomasVitale/awesome-spring

  46. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas Source code: https://github.com/ThomasVitale/band-service