Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022
Technology
0
300

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
67
Supercharge your Kubernetes Platform with Carvel
thomasvitale
0
11
Multitenant Mystery: Every Bean Has a Secret
thomasvitale
1
180
Securing the Supply Chain for Your Java Applications
thomasvitale
0
200
Supercharge Your Kubernetes Platform With Carvel (KCD Munich 2023)
thomasvitale
0
85
Serverless Java with Spring Boot (DevBcn 2023)
thomasvitale
1
240
Next-Generation Cloud Native Apps with Spring Boot 3
thomasvitale
0
210
Developer Experience with Spring Boot on Kubernetes
thomasvitale
0
430
Multitenant Mystery - Only Rockers in the Building
thomasvitale
1
870

Other Decks in Technology

See All in Technology
PHP"オレ"カンファレンスの告知
ysknsid25
0
330
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
730
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
120
Apple Vision Pro trial session
akkeylab
0
120
シン・Kafka / shin-kafka
oracle4engineer
PRO
6
2.7k
[2024年3月版] Databricksのシステムアーキテクチャ
databricksjapan
7
1.9k
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
110
人間の尊厳、幸福、アクセシビリティ / 第116回「WEB TOUCH MEETING」アクセシビリティSP
nulabinc
PRO
2
180
オーナーシップを持つ領域を明確にする
konifar
9
1.7k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
200
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
680
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
320
20k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
It's Worth the Effort
3n
180
27k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
The Cult of Friendly URLs
andyhume
73
5.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
10
4.6k
The Pragmatic Product Professional
lauravandoore
24
5.8k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k

Transcript

  1. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas

  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS Contributor. Thomas Vitale thomasvitale.com @vitalethomas

  3. Software Supply Chain #devoxxUA @vitalethomas

  4. Software Supply Chain The set of everything needed to deliver

    software to production, including code, dependencies, tools, practices, and people. #devoxxUA @vitalethomas

  5. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  6. Supply Chain Security Tools are not enough ORGANIZATION PRACTICES TOOLS

    #devoxxUA @vitalethomas

  7. Where to begin? #devoxxUA @vitalethomas

  8. Containerization #devoxxUA @vitalethomas

  9. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” #devoxxUA @vitalethomas CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security

  10. Cloud Native Buildpacks #devoxxUA @vitalethomas

  11. buildpacks.io #devoxxUA @vitalethomas

  12. Image pack build Cloud Native Buildpacks From source code to

    container image #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  13. Cloud Native Buildpacks From source code to container image Separation

    of concerns Security and compliance Maintainability Advanced caching Multi-language and multi-platform Reusability #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  14. paketo.io #devoxxUA @vitalethomas

  15. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  16. Securing a software supply chain 1 Securing the Source Code

    CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security 2 Securing the Materials 3 Securing the Build Pipelines 4 Securing the Artefacts 5 Securing Deployments #devoxxUA @vitalethomas

  17. 1. Securing the Source Code #devoxxUA @vitalethomas

  18. #devoxxUA @vitalethomas Require signed commits Keyless Git signing with Sigstore

    Sigstore gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use gitsign for signing git config --local gpg.x509.program gitsign # gitsign expects x509 args git config --local gpg.format x509

  19. #devoxxUA @vitalethomas Sigstore gitsign https://github.com/sigstore/gitsign

  20. 2. Securing the Materials #devoxxUA @vitalethomas

  21. #devoxxUA @vitalethomas Generate an immutable SBOM Software Bills of Materials

    with Syft Syft https://github.com/anchore/syft syft band-service • Generate a SBOM from a pre-built image pack sbom download band-service • Extract SBOMs generated at build-time with Buildpacks

  22. #devoxxUA @vitalethomas Scan software for vulnerabilities Vulnerability scanning with Grype

    Grype https://github.com/anchore/grype grype ./repos/band-service • Scan source code grype band-service • Scan container image

  23. #devoxxUA @vitalethomas

  24. #devoxxUA @vitalethomas

  25. #devoxxUA @vitalethomas

  26. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  27. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  28. 3. Securing the Build Pipelines #devoxxUA @vitalethomas

  29. #devoxxUA @vitalethomas Eliminate sources of non-determinism Reproducible builds with Cloud

    Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = =
  30. None

  31. SLSA Framework #devoxxUA @vitalethomas

  32. #devoxxUA @vitalethomas SLSA https://slsa.dev

  33. SLSA https://slsa.dev #devoxxUA @vitalethomas

  34. SLSA Level 1 Documentation of the build process #devoxxUA @vitalethomas

    Build ❖ All build steps de fi ned in a script Provenance ❖ Provenance data available to the consumer SLSA https://slsa.dev

  35. #devoxxUA @vitalethomas in-toto https://in-toto.io

  36. 4. Securing the Artefacts #devoxxUA @vitalethomas

  37. #devoxxUA @vitalethomas Sign every step in the build process Signing

    artefacts with Sigstore cosign cosign sign band-service • Sign container image cosign attest \ -—predicate predicate.att \ --type slsaprovenance \ band-service • Sign provenance and add attestation to image Sigstore cosign https://github.com/sigstore/cosign

  38. SLSA Level 2 Tamper resistance of the build service #devoxxUA

    @vitalethomas Source ❖ Every change to the source is tracked in a version control system Build ❖ All build steps ran using some build service, not on a developer’s workstation SLSA https://slsa.dev Provenance ❖ Data in the provenance obtained from build service ❖ The provenance’s authenticity and integrity can be veri fi ed by the consumer.

  39. 5. Securing Deployment #devoxxUA @vitalethomas

  40. #devoxxUA @vitalethomas Perform verification of artefacts Verifying signatures and provenance

    with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io

  41. Cartographer #devoxxUA @vitalethomas

  42. #devoxxUA @vitalethomas Cartographer https://cartographer.sh

  43. Minimal Supply Chain Source -> Image -> URL Deploy to

    Kubernetes Package as container image Checkout source code

  44. Resources #devoxxUA @vitalethomas

  45. https://github.com/ThomasVitale/awesome-spring

  46. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas Source code: https://github.com/ThomasVitale/band-service