Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Devoxx Ukraine
    Sep 2nd, 2022
    Supply Chain Security
    For Cloud Native Java
    @vitalethomas

    View full-size slide

  2. Systematic
    • Software Architect at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • OSS Contributor.
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View full-size slide

  3. Software Supply Chain
    #devoxxUA @vitalethomas

    View full-size slide

  4. Software Supply Chain
    The set of everything needed to deliver software to
    production, including code, dependencies, tools,
    practices, and people.

    #devoxxUA @vitalethomas

    View full-size slide

  5. #devoxxUA @vitalethomas
    Software Supply Chain
    Every step has multiple security risks and impacts
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    Source Code Build
    Materials
    Artefacts Deployment

    View full-size slide

  6. Supply Chain Security
    Tools are not enough
    ORGANIZATION
    PRACTICES
    TOOLS
    #devoxxUA @vitalethomas

    View full-size slide

  7. Where to begin?
    #devoxxUA @vitalethomas

    View full-size slide

  8. Containerization
    #devoxxUA @vitalethomas

    View full-size slide

  9. Dockerfiles
    “Dockerfiles are easy to write, but the current
    development guidelines do not produce
    containers that are repeatable and hardened.”

    #devoxxUA @vitalethomas
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security

    View full-size slide

  10. Cloud Native Buildpacks
    #devoxxUA @vitalethomas

    View full-size slide

  11. buildpacks.io
    #devoxxUA @vitalethomas

    View full-size slide

  12. Image
    pack build
    Cloud Native Buildpacks
    From source code to container image
    #devoxxUA @vitalethomas
    Cloud Native Buildpacks
    https://buildpacks.io

    View full-size slide

  13. Cloud Native Buildpacks
    From source code to container image
    Separation of
    concerns
    Security and
    compliance
    Maintainability
    Advanced caching
    Multi-language and
    multi-platform
    Reusability
    #devoxxUA @vitalethomas
    Cloud Native Buildpacks
    https://buildpacks.io

    View full-size slide

  14. paketo.io
    #devoxxUA @vitalethomas

    View full-size slide

  15. #devoxxUA @vitalethomas
    Software Supply Chain
    Every step has multiple security risks and impacts
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    Source Code Build
    Materials
    Artefacts Deployment

    View full-size slide

  16. Securing a software supply chain
    1 Securing the Source Code
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    2 Securing the Materials
    3 Securing the Build Pipelines
    4 Securing the Artefacts
    5 Securing Deployments
    #devoxxUA @vitalethomas

    View full-size slide

  17. 1. Securing the Source Code
    #devoxxUA @vitalethomas

    View full-size slide

  18. #devoxxUA @vitalethomas
    Require signed commits
    Keyless Git signing with Sigstore
    Sigstore gitsign
    https://github.com/sigstore/gitsign
    # Sign all commits


    git config --local commit.gpgsign true


    # Sign all tags


    git config --local tag.gpgsign true


    # Use gitsign for signing


    git config --local gpg.x509.program gitsign


    # gitsign expects x509 args


    git config --local gpg.format x509

    View full-size slide

  19. #devoxxUA @vitalethomas
    Sigstore gitsign
    https://github.com/sigstore/gitsign

    View full-size slide

  20. 2. Securing the Materials
    #devoxxUA @vitalethomas

    View full-size slide

  21. #devoxxUA @vitalethomas
    Generate an immutable SBOM
    Software Bills of Materials with Syft
    Syft
    https://github.com/anchore/syft
    syft band-service
    • Generate a SBOM from a pre-built image
    pack sbom download band-service
    • Extract SBOMs generated at build-time with Buildpacks

    View full-size slide

  22. #devoxxUA @vitalethomas
    Scan software for vulnerabilities
    Vulnerability scanning with Grype
    Grype
    https://github.com/anchore/grype
    grype ./repos/band-service
    • Scan source code
    grype band-service
    • Scan container image

    View full-size slide

  23. #devoxxUA @vitalethomas

    View full-size slide

  24. #devoxxUA @vitalethomas

    View full-size slide

  25. #devoxxUA @vitalethomas

    View full-size slide

  26. #devoxxUA @vitalethomas
    https://theoryof.predictable.software/articles/
    a-closer-look-at-cvss-scores/

    View full-size slide

  27. #devoxxUA @vitalethomas
    https://theoryof.predictable.software/articles/
    a-closer-look-at-cvss-scores/

    View full-size slide

  28. 3. Securing the Build Pipelines
    #devoxxUA @vitalethomas

    View full-size slide

  29. #devoxxUA @vitalethomas
    Eliminate sources of non-determinism
    Reproducible builds with Cloud Native Buildpacks
    Cloud Native Buildpacks
    https://buildpacks.io
    Image
    pack build
    Image
    pack build
    Time
    =
    =

    View full-size slide

  30. SLSA Framework
    #devoxxUA @vitalethomas

    View full-size slide

  31. #devoxxUA @vitalethomas
    SLSA
    https://slsa.dev

    View full-size slide

  32. SLSA
    https://slsa.dev
    #devoxxUA @vitalethomas

    View full-size slide

  33. SLSA Level 1
    Documentation of the build process
    #devoxxUA @vitalethomas
    Build ❖ All build steps de
    fi
    ned in a script
    Provenance ❖ Provenance data available to the consumer
    SLSA
    https://slsa.dev

    View full-size slide

  34. #devoxxUA @vitalethomas
    in-toto
    https://in-toto.io

    View full-size slide

  35. 4. Securing the Artefacts
    #devoxxUA @vitalethomas

    View full-size slide

  36. #devoxxUA @vitalethomas
    Sign every step in the build process
    Signing artefacts with Sigstore cosign
    cosign sign band-service
    • Sign container image
    cosign attest \


    -—predicate predicate.att \


    --type slsaprovenance \


    band-service
    • Sign provenance and add attestation to image
    Sigstore cosign
    https://github.com/sigstore/cosign

    View full-size slide

  37. SLSA Level 2
    Tamper resistance of the build service
    #devoxxUA @vitalethomas
    Source
    ❖ Every change to the source is tracked in a version
    control system
    Build
    ❖ All build steps ran using some build service, not on a
    developer’s workstation
    SLSA
    https://slsa.dev
    Provenance
    ❖ Data in the provenance obtained from build service


    ❖ The provenance’s authenticity and integrity can be
    veri
    fi
    ed by the consumer.

    View full-size slide

  38. 5. Securing Deployment
    #devoxxUA @vitalethomas

    View full-size slide

  39. #devoxxUA @vitalethomas
    Perform verification of artefacts
    Verifying signatures and provenance with Kyverno
    • Keyless veri
    fi
    cation of image signature

    • If missing compliance, the deployment is blocked
    • Keyless veri
    fi
    cation of the SLSA provenance metadata

    • If missing compliance, the deployment is blocked.
    Kyverno
    https://kyverno.io

    View full-size slide

  40. Cartographer
    #devoxxUA @vitalethomas

    View full-size slide

  41. #devoxxUA @vitalethomas
    Cartographer
    https://cartographer.sh

    View full-size slide

  42. Minimal Supply Chain
    Source -> Image -> URL
    Deploy to
    Kubernetes
    Package as
    container image
    Checkout

    source code

    View full-size slide

  43. Resources
    #devoxxUA @vitalethomas

    View full-size slide

  44. https://github.com/ThomasVitale/awesome-spring

    View full-size slide

  45. Thomas Vitale
    Devoxx Ukraine
    Sep 2nd, 2022
    Supply Chain Security
    For Cloud Native Java
    @vitalethomas
    Source code: https://github.com/ThomasVitale/band-service

    View full-size slide