Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the Supply Chain for Your Java Applica...

Securing the Supply Chain for Your Java Applications

Software supply chain security has never been more critical, and protecting our systems from bad actors and vulnerabilities is a constant challenge.

Do you know whether your Git commits are being manipulated without your knowledge? Are you confident that you have complete visibility of all the libraries and dependencies in your application JARs and container images? Can you trust the results of your vulnerability scanner? And how can you verify the integrity of your applications in production?
This presentation will show you how to secure the supply chain for your Java applications.

We'll cover a range of techniques, patterns, and technologies for secure dependency management, source code integrity, safe builds, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. We'll also explore options for handling supply chain security in a Kubernetes-native way.

But this isn't just a theoretical discussion. You'll see a live demonstration of the practices and technologies we'll discuss based on the cutting-edge SLSA framework and the CNCF WG Security research. We'll use open-source tools like Gradle, Sigstore, Cloud Native Buildpacks, Trivy, Syft, and Kyverno.

Thomas Vitale

October 06, 2023
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply

    Chain For Your Java Applications @vitalethomas
  2. Systematic • Software Engineer and Cloud Architect. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas
  3. Software Supply Chain The set of everything needed to deliver

    software to production, including code, dependencies, tools, practices, and people. @vitalethomas
  4. Software Supply Chain Every step has multiple security risks and

    impacts CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security Source Code Build Dependencies Artifacts Deployment @vitalethomas
  5. Git Source control Audit trail of every change Can we

    trust it? Who did this change? @vitalethomas
  6. Require signed commits Make the audit trail trustworthy Traditional Git

    signing with keys (GPG, SSH…) Reject unveri fi ed commits Keyless Git signing with Gitsign @vitalethomas $ git commit -S -m “My changes”
  7. Require signed commits Git signing with GPG keys # Sign

    all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Set the GPG signing key ID git config --local user.signingkey <key-id> @vitalethomas
  8. Require signed commits Keyless Git signing with Sigstore Sigstore Gitsign

    https://github.com/sigstore/gitsign # Sign all commits git config --local commit.gpgsign true # Sign all tags git config --local tag.gpgsign true # Use Gitsign for signing git config --local gpg.x509.program gitsign # Gitsign expects x509 args git config --local gpg.format x509 @vitalethomas
  9. Dependency Management Java Where are we fetching the dependencies from?

    How are dependency con fl icts solved? Which dependencies are we fetching? @vitalethomas
  10. Locking Dependency Versions Generating a lock fi le with Gradle

    @vitalethomas $ gradle dependencies —write-locks dependencyLocking { lockAllConfigurations() } build.gradle
  11. Locking Dependency Versions Generating a lock fi le with a

    Maven plugin @vitalethomas $ mvn se.vandmo:dependency-lock-maven-plugin:lock <build> <plugins> <plugin> <groupId>se.vandmo</groupId> <artifactId>dependency-lock-maven-plugin</artifactId> <version>1.0</version> <executions> <execution> <id>check</id> <phase>validate</phase> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin> </plugins> </build> pom.xml
  12. SBOM “A Software Bill of Materials (SBOM) is a nested

    inventory for software, a list of ingredients that make up software components.” NTIA https://ntia.gov/SBOM @vitalethomas
  13. SBOMs What can we use them for? Inventory of all

    software components Validate the licenses for each component Check for security vulnerabilities @vitalethomas Find outdated components Verify integrity for each component
  14. SBOM from an artifact Using Syft Syft https://github.com/anchore/syft syft band-service.jar

    • Generate a SBOM from a JAR syft ghcr.io/thomasvitale/band-service • Generate a SBOM from an OCI image @vitalethomas
  15. SBOM from the source code Using the CycloneDX Generator cdxgen

    https://cyclonedx.github.io/cdxgen cdxgen -o bom.json • Generate a SBOM from the source code @vitalethomas
  16. SBOM as part of the build lifecycle Using the CycloneDX

    Gradle plugin CycloneDX Gradle Plugin https://github.com/CycloneDX/cyclonedx-gradle-plugin @vitalethomas $ gradle build plugins { id 'org.cyclonedx.bom' version '1.7.4' } tasks.build.finalizedBy 'cyclonedxBom' build.gradle
  17. SBOM as part of the build lifecycle Using the CycloneDX

    Maven plugin @vitalethomas $ mvn package <plugins> <plugin> <groupId>org.cyclonedx</groupId> <artifactId>cyclonedx-maven-plugin</artifactId> <executions> <execution> <phase>package</phase> <goals> <goal>makeAggregateBom</goal> </goals> </execution> </executions> </plugin> </plugins> pom.xml CycloneDX Maven Plugin https://github.com/CycloneDX/cyclonedx-maven-plugin
  18. VEX “Vulnerability Exploitability eXchange (VEX) is a vulnerability document designed

    to complement a Software Bill of Materials (SBOM) that informs users of a software product about the applicability of one or more vulnerability findings.” OpenVEX http://openvex.dev @vitalethomas
  19. Packaging Spring Boot JAR & Container Image JAR OCI Image

    Gradle bootJar Maven package Gradle bootBuildImage Maven spring-boot:build-image @vitalethomas Native Gradle nativeCompile Maven -Pnative native:compile
  20. Dockerfiles “Dockerfiles are easy to write, but the current development

    guidelines do not produce containers that are repeatable and hardened.” CNCF Software Supply Chain Security Paper https://github.com/cncf/tag-security/tree/main/supply-chain-security @vitalethomas
  21. Image pack build Cloud Native Buildpacks From source code to

    container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io
  22. Image pack build gradle bootBuildImage Cloud Native Buildpacks From source

    code to container image @vitalethomas Cloud Native Buildpacks https://buildpacks.io
  23. Eliminate sources of non-determinism Reproducible builds with Cloud Native Buildpacks

    Cloud Native Buildpacks https://buildpacks.io Image pack build Image pack build Time = = @vitalethomas
  24. Sign every step in the build process Signing artifacts with

    Sigstore Cosign Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas Sign binaries (JAR, native executable) Sign SBOM Sign OCI image
  25. Sign every step in the build process Signing artifacts with

    Sigstore Cosign cosign sign band-service • Sign container image cosign attach sbom --sbom bom.json band-service • Attach SBOM to container image Sigstore Cosign https://github.com/sigstore/cosign @vitalethomas cosign sign band-service:<digest>.sbom • Sign SBOM
  26. SLSA Build Supply chain security levels for the build provenance

    Level 1 The artifact has provenance showing how it was built. Level 2 The build runs on a hosted build platform that generates and signs the provenance itself. SLSA https://slsa.dev Level 3 The build runs on a hardened build platform that offers strong tamper protection (non-falsi fi able provenance). @vitalethomas
  27. SLSA GitHub Provenance Generator SLSA Build Level 3 @vitalethomas name:

    Build on: [push] jobs: build: ... provenance: needs: [build] permissions: actions: read id-token: write packages: write uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] with: image: ${{ image-name }} digest: ${{ image-digest }} registry-username: ${{ registry-username }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} SLSA GitHub Generator https://github.com/slsa-framework/slsa-github-generator
  28. Validating artifacts metadata Verify signatures with Sigstore Cosign Sigstore Cosign

    https://github.com/sigstore/cosign @vitalethomas $ cosign verify \ --certificate-identity-regexp \ https://github.com/ThomasVitale \ --certificate-oidc-issuer \ https://token.actions.githubusercontent.com \ ghcr.io/thomasvitale/band-service | jq
  29. Validating artifacts metadata Verify provenance with SLSA Veri fi er

    SLSA Veri fi er https://github.com/slsa-framework/slsa-veri fi er $ slsa-verifier verify-image \ ghcr.io/thomasvitale/band-service:<digest> \ —source-uri github.com/ThomasVitale/band-service
  30. Perform verification of artifacts Verifying signatures and provenance with Kyverno

    • Keyless veri fi cation of image signature • If missing compliance, the deployment is blocked • Keyless veri fi cation of the SLSA provenance metadata • If missing compliance, the deployment is blocked. Kyverno https://kyverno.io @vitalethomas
  31. Resources Software supply chain security • Presentation source code •

    How to create SBOMs in Java with Maven and Gradle • SnakeYaml 2.0: Solving the unsafe deserialization vulnerability • What Are Cloud Native Buildpacks and How Do They Work? • OWASP Dependency Track and CycloneDX SBOM Standard • Chainguard Academy @vitalethomas
  32. Thomas Vitale Devoxx Belgium Oct 6th, 2023 Securing the Supply

    Chain For Your Java Applications @vitalethomas