Talk

Software supply chain security has never been more critical, and protecting our systems from bad actors and vulnerabilities is a constant challenge.
Do you know whether your Git commits are being manipulated without your knowledge? Are you confident that you have complete visibility of all the libraries and dependencies in your application JARs and container images? Can you trust the results of your vulnerability scanner? And how can you verify the integrity of your applications in production?
This presentation will show you how to secure the supply chain for your Java applications. We'll cover a range of techniques, patterns, and technologies for secure dependency management, source code integrity, safe builds, vulnerability scanning of Java source code and images, signing and verifying production artifacts, and patching strategies. We'll also explore options for handling supply chain security in a Kubernetes-native way.
But this isn't just a theoretical discussion. You'll see a live demonstration of the practices and technologies we'll discuss based on the cutting-edge SLSA framework and the CNCF WG Security research. We'll use open-source tools like Gradle, Sigstore, Cloud Native Buildpacks, Trivy, Syft, and Kyverno.
Thomas Vitale
Systematic
Thomas Vitale is a software engineer and architect specialized in building cloud native, resilient, and secure enterprise applications. He’s the author of “Cloud Native Spring in Action” published by Manning. He's a CNCF Ambassador and Oracle ACE Pro. Thomas designs and develops software solutions at Systematic, Denmark, where he’s been working on modernizing platforms and applications for the cloud native world, focusing on developer experience and security.
Some of his main interests and focus areas are Java, Spring Boot, Kubernetes, Knative, and cloud native technologies in general. Thomas supports continuous delivery practices and believes in a collaboration culture aimed at working together to deliver value to users, customers, and businesses. He likes contributing to open source projects in the Java and cloud native space, and sharing knowledge with the community.
Thomas has an MSc in Computer Engineering, specializing in software from the Polytechnic University of Turin (Italy). He is a CNCF Certified Kubernetes Application Developer, Pivotal Certified Spring Professional, and Red Hat Certified Specialist in OpenShift Application Development. His speaking engagements include those for Devoxx, SpringOne, Spring I/O, KubeCon+CloudNativeCon, GOTO, DevCon, DevTalks, and J4K.