Software supply chain security has never been more critical, and protecting our systems from bad actors and vulnerabilities remains a constant challenge. In the Java ecosystem, the severe vulnerabilities affecting the widely used Log4J2 library made it even more evident that we must have a strategy to protect our systems.

This hands-on masterclass will guide you in securing the supply chain for your Spring Boot applications. It will cover a range of techniques, patterns, and technologies for secure dependency management, source code integrity, safe builds, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and implementing patching strategies.

AGENDA

• Understanding the need for software supply chain security, the role of application developers, and lessons learned from past incidents like Log4Shell.
• Ensuring your Git commits are not manipulated without your knowledge.
• Obtaining secure and predictable dependency management for Spring Boot using Maven and Gradle, ensuring artifact integrity with Sigstore and SLSA, and understanding how to configure the Spring Boot starter dependencies in case of critical vulnerabilities.
• Generating Software Bill of Materials (SBOM) for Java applications packaged as JARs, container images, and native executables for getting complete visibility of all the libraries and dependencies in your Spring Boot applications.
• Secure, reproducible, and efficient container images for Spring Boot using Cloud Native Buildpacks, providing a superior developer experience and no need for Dockerfiles.
• Reducing the attack surface of Spring Boot applications with GraalVM native compilation and understanding how GraalVM can help increase the security degree of your Java supply chains.
• Performing vulnerability scans and license compliance checks for Spring Boot using OWASP CycloneDX, DependencyTrack, and Trivy.

PRE-REQUISITES

• Familiarity with Java and core Spring Boot.
• Laptop with a Java IDE and Docker Desktop/Podman Desktop installed.
• A GitHub personal account.