Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Devoxx Ukraine
    Sep 2nd, 2022
    Supply Chain Security
    For Cloud Native Java
    @vitalethomas

    View Slide

  2. Systematic
    • Software Architect at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • OSS Contributor.
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View Slide

  3. Software Supply Chain
    #devoxxUA @vitalethomas

    View Slide

  4. Software Supply Chain
    The set of everything needed to deliver software to
    production, including code, dependencies, tools,
    practices, and people.

    #devoxxUA @vitalethomas

    View Slide

  5. #devoxxUA @vitalethomas
    Software Supply Chain
    Every step has multiple security risks and impacts
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    Source Code Build
    Materials
    Artefacts Deployment

    View Slide

  6. Supply Chain Security
    Tools are not enough
    ORGANIZATION
    PRACTICES
    TOOLS
    #devoxxUA @vitalethomas

    View Slide

  7. Where to begin?
    #devoxxUA @vitalethomas

    View Slide

  8. Containerization
    #devoxxUA @vitalethomas

    View Slide

  9. Dockerfiles
    “Dockerfiles are easy to write, but the current
    development guidelines do not produce
    containers that are repeatable and hardened.”

    #devoxxUA @vitalethomas
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security

    View Slide

  10. Cloud Native Buildpacks
    #devoxxUA @vitalethomas

    View Slide

  11. buildpacks.io
    #devoxxUA @vitalethomas

    View Slide

  12. Image
    pack build
    Cloud Native Buildpacks
    From source code to container image
    #devoxxUA @vitalethomas
    Cloud Native Buildpacks
    https://buildpacks.io

    View Slide

  13. Cloud Native Buildpacks
    From source code to container image
    Separation of
    concerns
    Security and
    compliance
    Maintainability
    Advanced caching
    Multi-language and
    multi-platform
    Reusability
    #devoxxUA @vitalethomas
    Cloud Native Buildpacks
    https://buildpacks.io

    View Slide

  14. paketo.io
    #devoxxUA @vitalethomas

    View Slide

  15. #devoxxUA @vitalethomas
    Software Supply Chain
    Every step has multiple security risks and impacts
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    Source Code Build
    Materials
    Artefacts Deployment

    View Slide

  16. Securing a software supply chain
    1 Securing the Source Code
    CNCF Software Supply Chain Security Paper
    https://github.com/cncf/tag-security/tree/main/supply-chain-security
    2 Securing the Materials
    3 Securing the Build Pipelines
    4 Securing the Artefacts
    5 Securing Deployments
    #devoxxUA @vitalethomas

    View Slide

  17. 1. Securing the Source Code
    #devoxxUA @vitalethomas

    View Slide

  18. #devoxxUA @vitalethomas
    Require signed commits
    Keyless Git signing with Sigstore
    Sigstore gitsign
    https://github.com/sigstore/gitsign
    # Sign all commits


    git config --local commit.gpgsign true


    # Sign all tags


    git config --local tag.gpgsign true


    # Use gitsign for signing


    git config --local gpg.x509.program gitsign


    # gitsign expects x509 args


    git config --local gpg.format x509

    View Slide

  19. #devoxxUA @vitalethomas
    Sigstore gitsign
    https://github.com/sigstore/gitsign

    View Slide

  20. 2. Securing the Materials
    #devoxxUA @vitalethomas

    View Slide

  21. #devoxxUA @vitalethomas
    Generate an immutable SBOM
    Software Bills of Materials with Syft
    Syft
    https://github.com/anchore/syft
    syft band-service
    • Generate a SBOM from a pre-built image
    pack sbom download band-service
    • Extract SBOMs generated at build-time with Buildpacks

    View Slide

  22. #devoxxUA @vitalethomas
    Scan software for vulnerabilities
    Vulnerability scanning with Grype
    Grype
    https://github.com/anchore/grype
    grype ./repos/band-service
    • Scan source code
    grype band-service
    • Scan container image

    View Slide

  23. #devoxxUA @vitalethomas

    View Slide

  24. #devoxxUA @vitalethomas

    View Slide

  25. #devoxxUA @vitalethomas

    View Slide

  26. #devoxxUA @vitalethomas
    https://theoryof.predictable.software/articles/
    a-closer-look-at-cvss-scores/

    View Slide

  27. #devoxxUA @vitalethomas
    https://theoryof.predictable.software/articles/
    a-closer-look-at-cvss-scores/

    View Slide

  28. 3. Securing the Build Pipelines
    #devoxxUA @vitalethomas

    View Slide

  29. #devoxxUA @vitalethomas
    Eliminate sources of non-determinism
    Reproducible builds with Cloud Native Buildpacks
    Cloud Native Buildpacks
    https://buildpacks.io
    Image
    pack build
    Image
    pack build
    Time
    =
    =

    View Slide

  30. View Slide

  31. SLSA Framework
    #devoxxUA @vitalethomas

    View Slide

  32. #devoxxUA @vitalethomas
    SLSA
    https://slsa.dev

    View Slide

  33. SLSA
    https://slsa.dev
    #devoxxUA @vitalethomas

    View Slide

  34. SLSA Level 1
    Documentation of the build process
    #devoxxUA @vitalethomas
    Build ❖ All build steps de
    fi
    ned in a script
    Provenance ❖ Provenance data available to the consumer
    SLSA
    https://slsa.dev

    View Slide

  35. #devoxxUA @vitalethomas
    in-toto
    https://in-toto.io

    View Slide

  36. 4. Securing the Artefacts
    #devoxxUA @vitalethomas

    View Slide

  37. #devoxxUA @vitalethomas
    Sign every step in the build process
    Signing artefacts with Sigstore cosign
    cosign sign band-service
    • Sign container image
    cosign attest \


    -—predicate predicate.att \


    --type slsaprovenance \


    band-service
    • Sign provenance and add attestation to image
    Sigstore cosign
    https://github.com/sigstore/cosign

    View Slide

  38. SLSA Level 2
    Tamper resistance of the build service
    #devoxxUA @vitalethomas
    Source
    ❖ Every change to the source is tracked in a version
    control system
    Build
    ❖ All build steps ran using some build service, not on a
    developer’s workstation
    SLSA
    https://slsa.dev
    Provenance
    ❖ Data in the provenance obtained from build service


    ❖ The provenance’s authenticity and integrity can be
    veri
    fi
    ed by the consumer.

    View Slide

  39. 5. Securing Deployment
    #devoxxUA @vitalethomas

    View Slide

  40. #devoxxUA @vitalethomas
    Perform verification of artefacts
    Verifying signatures and provenance with Kyverno
    • Keyless veri
    fi
    cation of image signature

    • If missing compliance, the deployment is blocked
    • Keyless veri
    fi
    cation of the SLSA provenance metadata

    • If missing compliance, the deployment is blocked.
    Kyverno
    https://kyverno.io

    View Slide

  41. Cartographer
    #devoxxUA @vitalethomas

    View Slide

  42. #devoxxUA @vitalethomas
    Cartographer
    https://cartographer.sh

    View Slide

  43. Minimal Supply Chain
    Source -> Image -> URL
    Deploy to
    Kubernetes
    Package as
    container image
    Checkout

    source code

    View Slide

  44. Resources
    #devoxxUA @vitalethomas

    View Slide

  45. https://github.com/ThomasVitale/awesome-spring

    View Slide

  46. Thomas Vitale
    Devoxx Ukraine
    Sep 2nd, 2022
    Supply Chain Security
    For Cloud Native Java
    @vitalethomas
    Source code: https://github.com/ThomasVitale/band-service

    View Slide