How to manage security for spring boot apps?

[reddragdiva]

Dear Lazyweb! How do you manage keeping spring boot applications up to date?

We run an arseload of Java webapps. Our devs have taken a strong liking to spring boot, where everything including the Tomcat is uploaded as a JAR. A delight for them, but somewhat of a concern for the sysadmins who are the people first dealing with security issues.

So I've been asked to come up with recommendations to deal with this, and I haven't a clue as to how to do this other than laborious iterative checking, or automated versions thereof. Nor can I find recommendations.

Has anyone else got this problem or one like it? (Where applications are uploaded as a package that then runs.) What do you do?

Comments

[bob]

so containers have the same problem. you dont actually know what is being used and deployed with out some tooling around that.

one solution is the build pipeline makes new artifacts with all dependencies every $timeperiod then runs tests and deploys.

[reddragdiva]

yes, it's the broader problem of being devopsy agile, otherwise known as "who can I externalise my costs onto".

[bob]

the blockchain?

[reddragdiva]

BRILLIANT!!

no wait

[pndc]

$TATBAZAAR has a crack security team who make HMRC look cheerful, and who externalise their lack of being gruntled onto whichever department has drunk the DevOps Kool-Aid and is pretending security doesn't exist. I would find this utterly hilarious to watch if I hadn't myself been seconded onto the front line to unbugger the target of their ire before they get really upset. (I assume there are financial penalties in internal funny money, but that is way above my pay grade.)

Have you tried breaking fingers? Developers can't produce insecure crap if they can't type.