Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Cloud Native Java

Thomas Vitale
September 02, 2022
Technology
0
370

Supply Chain Security for Cloud Native Java

Securing our software supply chain has never been so critical. Security is a dynamic and evolving property of a system, and bad actors can exploit vulnerabilities in multiple ways while we’re busy migrating our applications to the cloud and Kubernetes. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This presentation focuses on how to secure the supply chain for cloud native Java applications. It covers techniques, patterns, and technologies for secure dependency management, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. It also addresses a few options for handling supply chain security in a Kubernetes-native way.

You’ll see a live demonstration of the practices and technologies explained during the presentation, relying exclusively on open-source tools.

Thomas Vitale

September 02, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Breaking Barriers: Bringing Application Developers Closer To the CNCF
thomasvitale
1
67
From 0 To Production-Grade With Kubernetes Native Development
thomasvitale
0
91
Developer Experience on Kubernetes (Cloud Native Aalborg 2025)
thomasvitale
0
25
Concerto for Java and AI - Building Production-Ready LLM Applications (YOW! Australia 2024)
thomasvitale
0
35
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
0
120
Developer Experience on Kubernetes
thomasvitale
1
130
Unlocking New Platform Experiences With Open Interfaces
thomasvitale
0
100
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
1
320
Dapr and Spring Boot - Solving the Challenges of Distributed Systems
thomasvitale
1
230

Other Decks in Technology

See All in Technology
ゆるくVPC Latticeについてまとめてみたら、意外と奥深い件
masakiokuda
2
230
「家族アルバム みてね」を支えるS3ライフサイクル戦略
fanglang
4
640
TopAppBar Composableをカスタムする
hunachi
0
170
システムとの会話から生まれる先手のDevOps
kakehashi
PRO
0
180
低レイヤを知りたいPHPerのためのCコンパイラ作成入門 / Building a C Compiler for PHPers Who Want to Dive into Low-Level Programming
tomzoh
0
180
データベースで見る『家族アルバム みてね』の変遷 / The Evolution of Family Album Through the Lens of Databases
kohbis
4
1.1k
Langchain4j y Ollama - Integrando LLMs con programas Java @ Commit Conf 2025
deors
1
130
「ラベルにとらわれない」エンジニアでいること/Be an engineer beyond labels
kaonavi
0
240
Amazon S3 Tables + Amazon Athena / Apache Iceberg
okaru
0
220
ソフトウェア開発現代史: "LeanとDevOpsの科学"の「科学」とは何か? - DORA Report 10年の変遷を追って - #DevOpsDaysTokyo
takabow
0
160
20250408 AI Agent workshop
sakana_ai
PRO
13
2.8k
Devinで模索する AIファースト開発〜ゼロベースから始めるDevOpsの進化〜
potix2
PRO
2
1.2k

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Embracing the Ebb and Flow
colly
85
4.6k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.1k
Done Done
chrislema
183
16k
Code Reviewing Like a Champion
maltzj
522
39k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.6k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Making Projects Easy
brettharned
116
6.1k
Bash Introduction
62gerente
611
210k

Transcript

  1. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas

  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS Contributor. Thomas Vitale thomasvitale.com @vitalethomas

  3. Software Supply Chain #devoxxUA @vitalethomas

  4. Software Supply Chain The set of everything needed to deliver

    software to production, including code, dependencies, tools, practices, and people. #devoxxUA @vitalethomas

  5. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  6. Supply Chain Security Tools are not enough ORGANIZATION PRACTICES TOOLS

    #devoxxUA @vitalethomas

  7. Where to begin? #devoxxUA @vitalethomas

  8. Containerization #devoxxUA @vitalethomas

  9. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” #devoxxUA @vitalethomas CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security

  10. Cloud Native Buildpacks #devoxxUA @vitalethomas

  11. buildpacks.io #devoxxUA @vitalethomas

  12. Image pack build Cloud Native Buildpacks From source code to

    container image #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  13. Cloud Native Buildpacks From source code to container image Separation

    of concerns Security and compliance Maintainability Advanced caching Multi-language and multi-platform Reusability #devoxxUA @vitalethomas Cloud Native Buildpacks https://buildpacks.io

  14. paketo.io #devoxxUA @vitalethomas

  15. #devoxxUA @vitalethomas Software Supply Chain Every step has multiple security

    risks and impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Materials Artefacts Deployment

  16. Securing a software supply chain 1 Securing the Source Code

    CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security 2 Securing the Materials 3 Securing the Build Pipelines 4 Securing the Artefacts 5 Securing Deployments #devoxxUA @vitalethomas

  17. 1. Securing the Source Code #devoxxUA @vitalethomas

  18. #devoxxUA @vitalethomas Require signed commits Keyless Git signing with Sigstore

    Sigstore gitsign https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use gitsign for signing git config --local gpg.x509.program gitsign # gitsign expects x509 args git config --local gpg.format x509

  19. #devoxxUA @vitalethomas Sigstore gitsign https://github.com/sigstore/gitsign

  20. 2. Securing the Materials #devoxxUA @vitalethomas

  21. #devoxxUA @vitalethomas Generate an immutable SBOM Software Bills of Materials

    with Syft Syft https://github.com/anchore/syft syft band-service • Generate a SBOM from a pre-built image pack sbom download band-service • Extract SBOMs generated at build-time with Buildpacks

  22. #devoxxUA @vitalethomas Scan software for vulnerabilities Vulnerability scanning with Grype

    Grype https://github.com/anchore/grype grype ./repos/band-service • Scan source code grype band-service • Scan container image

  23. #devoxxUA @vitalethomas

  24. #devoxxUA @vitalethomas

  25. #devoxxUA @vitalethomas

  26. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  27. #devoxxUA @vitalethomas https://theoryof.predictable.software/articles/ a-closer-look-at-cvss-scores/

  28. 3. Securing the Build Pipelines #devoxxUA @vitalethomas

  29. #devoxxUA @vitalethomas Eliminate sources of non-determinism Reproducible builds with Cloud

    Native Buildpacks Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = =
  30. None

  31. SLSA Framework #devoxxUA @vitalethomas

  32. #devoxxUA @vitalethomas SLSA https://slsa.dev

  33. SLSA https://slsa.dev #devoxxUA @vitalethomas

  34. SLSA Level 1 Documentation of the build process #devoxxUA @vitalethomas

    Build ❖ All build steps de fi ned in a script Provenance ❖ Provenance data available to the consumer SLSA https://slsa.dev

  35. #devoxxUA @vitalethomas in-toto https://in-toto.io

  36. 4. Securing the Artefacts #devoxxUA @vitalethomas

  37. #devoxxUA @vitalethomas Sign every step in the build process Signing

    artefacts with Sigstore cosign cosign sign band-service • Sign container image cosign attest \ -—predicate predicate.att \ --type slsaprovenance \ band-service • Sign provenance and add attestation to image Sigstore cosign https://github.com/sigstore/cosign

  38. SLSA Level 2 Tamper resistance of the build service #devoxxUA

    @vitalethomas Source ❖ Every change to the source is tracked in a version control system Build ❖ All build steps ran using some build service, not on a developer’s workstation SLSA https://slsa.dev Provenance ❖ Data in the provenance obtained from build service ❖ The provenance’s authenticity and integrity can be veri fi ed by the consumer.

  39. 5. Securing Deployment #devoxxUA @vitalethomas

  40. #devoxxUA @vitalethomas Perform verification of artefacts Verifying signatures and provenance

    with Kyverno • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io

  41. Cartographer #devoxxUA @vitalethomas

  42. #devoxxUA @vitalethomas Cartographer https://cartographer.sh

  43. Minimal Supply Chain Source -> Image -> URL Deploy to

    Kubernetes Package as container image Checkout source code

  44. Resources #devoxxUA @vitalethomas

  45. https://github.com/ThomasVitale/awesome-spring

  46. Thomas Vitale Devoxx Ukraine Sep 2nd, 2022 Supply Chain Security

    For Cloud Native Java @vitalethomas Source code: https://github.com/ThomasVitale/band-service