How to Create a Secure Build Pipeline
powered by TelekomSee the stage
As a developer, you expect to get practical, technical content when you attend a conference. Java Stage is designed to bring you this and also networking with other developers, people who are dealing with the same challenges as you do. The agenda of the day brings you 4 practical hands-on sessions, real time coding and the latest insights.
Here's what we'll be exploring on the Java Stage
How to Create a Secure Build Pipeline
Polyglot Programming using GraalVM
OpenJDK / HotSpot Virtual Machine
Get knowledge from the brightest digital minds.
When3 Oct - 12:15-13:30
GraalVM is a pluggable and embeddable VM designed for running programs written in multiple different languages. Supported programming languages could be combined together within a single program, where data structures are shared among these languages efficiently without any additional serialization overhead.
In this session i will shortly introduce GraalVM architecture and Truffle framework that is used to provide individual language support. I will then demonstrate existing language implementations provided by Oracle Labs using several examples including a simple polyglot web application. Attendees who will bring their own laptops with GraalVM downloaded in advance from https://www.graalvm.org/downloads will have a chance to follow up instructions and get some hands-on experience with becoming polyglot programmers using GraalVM.
• Polyglot programming is made easy using GraalVM (https://www.graalvm.org)
• Combining multiple languages does not undermine performance.
• Want to implement a high performance VM for your language? Use Truffle and GraalVM!
Preparation steps for participants should be as follows:
1) Download GraalVM from https://www.oracle.com/technetwork/oracle-labs/program-languages/downloads/index.html
(in case you run on Windows OS, please use some sort of virtualization technology, e.g. VirtualBox (https://www.virtualbox.org/), to get GraalVM running on your machine, inside a virtual Linux box)
2) After unpacking GraalVM to your computer, run the following command:
$GRAALVM_HOME/bin/gu install R ruby
in order to get R and ruby support installed to your machine ($GRAALVM_HOME stands for the GraalVM installation directory).
Bruno starts coding in Machine Language on a Commodore Vic20 when he was 12 years old. He’s been coding in C since 1988 in his firs job and then in Java since 1996.
He developed distributed objects and large scale application for the enterprise using RMI, CORBA and J2EE. In 1999 he coaches one of the first group that adopts XP (eXtreme Programming) method in Italy.
In 2002 he has co-founder of Java User Group Torino, in 2005 he’s recognized as Java Champion. He has been promoting Java technologies as a speaker in Italy at developer conferences like Webbit, AgileDay, JavaConference, Javaday and in Europe at Devoxx, Jazoon and Geecon. Now he settled in London and enjoys the weather.
When3 Oct - 10:30-11:45
In this workshop, I will explain how to build a secure delivery pipeline for your Java application implementing automation security early in the process and building security in the product rather than applying it to a finished product.
After a 20 minutes introduction and explanation of the topic using some slides we will dive in, installing and configuring the required software components one by one and see how, at each stage, the pipeline is able to detect different problems offering you the ability to solve them early. We will be using Jenkins as our CI solution and on top of that we will add the various pieces needed to build our pipeline, including but not limited to static code analysis (SAST), dependencies analysis (SCA) and sensitive information scanning,
You will learn:
• why DevSecOps and continuous security are important
• how embed early in the development process security controls
• what are the commercial and open source tools available for the job
For this session, if you want to take active part you will need a laptop with Java and Maven configured (the one you use to code basically) and where you can install software. It’s okay also to just follow and take notes. You should also generally be familiar with Jenkins.
Volker Simonis works in SAP JVM Technology group.
He is an OpenJDK contributor from the very beginning and helped SAP to engage in the OpenJDK project. He’s the project lead of the OpenJDK PowerPC/AIX and s390x porting projects, a JDK reviewer and JCP Executive Committee representative for SAP. He’s also a member of the JSR 379 (Java SE 9) to 386 (Java SE 12) Expert Groups.
When3 Oct - 14:30-15:45
Class Data Sharing (CDS) helps to improve startup performance and reduce memory footprint by storing preprocessed class metadata on disk and sharing it between VM instances. You’ll learn how to use it, how it works, which improvements you can expect and what the future plans for CDS look like.
Description (links are in Markdown format):
Class Data Sharing (CDS) is a feature introduced in Java 5 to improve startup performance and reduce the memory footprint of Java by storing the preprocessed class metadata of system classes on disk and sharing it between virtual machines. During the last years, CDS has been constantly improved. In OpenJDK 10, CDS has been extended by AppCDS which additionally allows sharing of application classes between VM instances (see [JEP 310: “Application Class-Data Sharing”](http://openjdk.java.net/jeps/310 )
In this talk I will briefly introduce CDS and AppCDS and demonstrate how it can be used. While CDS is well documented, the usage of AppCDS with application classes and custom class loaders still requires a lot of hand crafting so I’ll introduce a small tool which helps automating these tasks. After presenting some memory consumption and performance numbers, I will do a short deep-dive into the implementation details and describe some of the challenges. I will also show how [Strings and Symbols can be stored in the CDS archive](http://openjdk.java.net/jeps/250 ) and shared across VM instances since OpenJDK 9. Finally I’ll detail on some of the latest developments like live archive creation and multiple archive support.
After the talk, the audience should have a better understand of CDS/AppCDS and be able to decide whether it makes sense to use it for their own applications.
I will use my 13 years of experience as a software tester and my 9 years of expertise as senior trainer in order to support my customers in their effort to be more innovative while approaching the quality process and testing because I strongly believe that brain can be used for creation and machines for execution
Mario-Leander Reimer is a chief technologist for QAware GmbH.
He is a senior Java developer with several years of experience in designing complex and large-scale distributed system architectures. He is continuously looking for innovations and ways to combine and apply state-of-the-art technology and open source software components in real-world customer projects. He studied computer science at Rosenheim and Staffordshire University and he is also teaching cloud computing as a part time lecturer.
When3 Oct - 16:15-17:30
Cloud native applications are popular these days. They promise superior reliability and almost arbitrary scalability. They follow three key principles: they are built and composed as microservices. They are packaged and distributed in containers. The containers are executed dynamically in the cloud. But all this comes at a price: added complexity! Suddenly you need to consider important cloud native design principles such as service exposition, configuration, resilience, health checks, metrics, monitoring and tracing.
This session is a comprehensive hands-on guide showing how to develop state-of-the-art cloud native applications with Java EE 8 and MicroProfile APIs. We will start by giving a brief overview of the latest API additions and improvements. Then we will implement, build, package and deploy our first working microservice.
Next, we will dive into the details of implementing enterprise-ready microservices and cover topics such as synchronous and asynchronous service exposition via JAX-RS and JMS, data binding and content marshalling using the JSON-B 1.0 and JSON-P 1.1 APIs, handling state and persistence in a cloud native context, and addressing configuration, resiliency and diagnosability using MicroProfile APIs.
•Basic knowledge of how to design and build cloud native applications using Java EE 8
•Basic knowledge of how to deploy and run Java EE 8 microservices using Docker and Kubernetes
• Hands on experience with the latest APIs and cloud native technologies
Prerequisites for the session
He is a Java passionate developer with many years of experience, always wanting to work on challenging projects. An Artificial Intelligence enthusiast that wants to learn how to learn
When3 Oct - 10:00-10:30
What is the right attitude when facing performance issues, with technical examples from personal experience.
To get access on the Java Stage, you need to purchase a Java PRO Pass.
Share this with your collegues.