Devoxx UK 2024 - Day 1
Last week I had the pleasure of attending Devoxx UK with colleagues from a client.
Here are notes, links, etc. to talks I attended on Day 1.
I’ll link to the YouTube videos when available.
Opening Keynote: Joy and Innovation in Programming Through a Childlike Learning Approach
Opening Keynote: Code Play Repeat: How to learn any Programming Language
Entertaining and engaging speaker. Yes, I learn stuff this way without even realising it.
Opening Keynote: Fun for Now
Excellent and engaging speaker, had multiple talks at this event but I only managed this one.
Securing the Supply Chain for Your Java Applications
Good talk introducing concepts of Supply Chain Security, VEX and SBOM.
There are two emerging standards CycloneDX and SPDX, suggestion that the formers has more applications supporting it.
Some of the specifics:
- Signing of git commits - but there is plenty of debate about if this is a good thing to do.
- There is a Maven plugin for generating SBOM files.
- The order of repositories in Maven can be important.
- Native executable (with GraalVM) reduced attack surface vs JAR.
- Cloud Native Buildpacks - remove the the need for Docker file, selecting/securing base images, etc.
- SBOM can be generated at build and then scan the file (not the JAR) later in the pipeline.
- SBOM can be scanned in the future to check against new vulnerabilities, no need to re-scan the JAR.
- Can load SBOMs into other applications to track, manage, etc.
- OWASP Dependency Track for managing SBOMs. Open source project with helm charts.
- Use this for signing artefacts:
- Binaries
- Images
- SBOMs
SLSA - Supply chain Levels for Software Artifacts:
- Provides provenance
- Sign for verification
Then in the deployment pipeline:
- Verify signatures
- Verify provenance (SLSA)
- Verify vulnerability report
- …
See also examples: supply-chain-security-java
Smooth Sailing in the Cloud-Native Storm: Tools for better confidence in microservices development
Testing against containerised apps. This is good to do at a service level.
TestContainers are something I already use to spin up Docker containers I am developing/testing. I know they can be used to spin up dependencies, e.g. redis, mongo, etc. But didn’t realise each of these comes with a specific api.
Attention was drawn the second part of the talk on Microcks which feels like something I should look into as a possible replacement for other tools I use. Bring all test resources within testcontainers.
See also:
Other info:
- Testcontainers is now owned by Docker.
- There is a free Testcontainers Desktop application.
- There is a paid for Testcontainers Cloud service. Use cases:
- Cannot install/run Docker locally
- …
- Testcontainers Slack.
Ideas from this:
- Contribute with a NiFi test container.
11 Practices to improve your productivity and reduce your frustration with Kubernetes
- Using Power tools for kubectl.
- aliases, but it can get silly.
- waiting for conditions, e.g. deployment to be ready.
- Generating yaml manifests
- etc, etc, - see the slides and the talk…
Other:
- Demos also used command-line fuzzy finder which looked an interesting addition to my shell.
- Didn’t cover k9s due to time but this was used as part of other demos. I’m currently using this and is well worth a look.
Link to slides
Ideas / Things to try from this:
- Running
minikubeusingdevcontainers. - Running multi-node cluster using
kind. - Using the power tools.
DevSecOps in Action: Achieving Continuous Compliance with GitLab
Presented by GitLab employee on GitLab functionality, so no surprises it was GitLab specific.
The functionality discussed was premium, i.e. £££, but showed how GitLab can help with DevSecOps compliance and integrate tooling into the development process with the checks and balances part of the build pipelines.
Spring Security: The Good Parts
Worked examples of Spring Boot authentication and filters.
Continuous Profiling, the missing piece of your observability puzzle
Introduced me to the concept of profiling.
Tools:
Gotchas:
- Beware of the Java Safepoint Bias.
