Loading…
Attending this event?
February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, February 1
 

7:30am PST

Continental Breakfast 🥐
Wednesday February 1, 2023 7:30am - 9:00am PST
6ABC Lobby

7:30am PST

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Attendees will go through Health + Safety on the 6th floor of the Seattle Convention Center to show proof of vaccination or negative COVID-19 test and pick up your badge. 

Wednesday February 1, 2023 7:30am - 6:00pm PST
6ABC Lobby

9:00am PST

Keynote: Welcome + Opening Remarks - Priyanka Sharma, Executive Director, Cloud Native Computing Foundation
Speakers
avatar for Priyanka Sharma

Priyanka Sharma

Executive Director, CNCF
Priyanka is the Executive Director of the Cloud Native Computing Foundation (CNCF) which serves as the vendor-neutral home for 100+ of the fastest-growing open source projects, including Kubernetes, Prometheus, and Envoy. She is also a co-creator of the Inclusive Naming Initiative... Read More →


Wednesday February 1, 2023 9:00am - 9:15am PST
Room 6AB

9:15am PST

Keynote: Fighting The Next War - Future Threats to OSS and Software Supply Chain Security - Brian Behlendorf, Managing Director, Open Source Security Foundation
Buffer overflows, typo-squatting, leaked credentials - many of the biggest problems in securing software today are the same greatest-hits since the 1990s. More or less once a year we see a novel kind of security attack, taking advantage of some new centralized service, a weakness we incorrectly assumed could not be exploited, or a new IT advancement that changes everything. As a keynote speech given at a 2023 Q1 conference, we are now legally required to mention ChatGPT, but ignoring the hype, the prospect of AI enabling uncanny spearfishing or automating mass pull requests with backdoors seems much less sci-fi today than it would have a year ago. What other new kinds of attacks could emerge, and what should OSS projects do to prepare?

Speakers
avatar for Brian Behlendorf

Brian Behlendorf

General Manager, Open Source Security Foundation, The Linux Foundation
Brian Behlendorf is the General Manager for Blockchain, Healthcare and Identity. He was a primary developer of the Apache web server, the most popular web server software on the Internet, and a founding member of the Apache Software Foundation. He has also served on the board of the... Read More →


Wednesday February 1, 2023 9:15am - 9:30am PST
Room 6AB

9:30am PST

Sponsored Keynote: Cloud Security’s Hidden Force: Threat Detection - Loris Degioanni, Founder and CTO, Sysdig
Threats to containers and cloud services are growing. All it takes is a vulnerable dependency, or a configuration mistake, and the entire environment is compromised. Guarding against every unknown is impossible: that’s why providing security teams with solid visibility of threats, and a path for responding to them, is so important. Threat detection is a powerful opportunity for the cloud native security community. Together, we can defend against vulnerabilities that security teams haven’t yet addressed.

In this keynote, Loris Degioanni, Founder and CTO of Sysdig, will talk about why your last line of defense is just as important as your first (and likely more so).

Speakers
avatar for Loris Degioanni

Loris Degioanni

Loris Degioanni, Founder and CTO, Sysdig, Sysdig
Loris (he/him) is the Chief Technology Officer & Founder of Sysdig. He is also the creator of the popular open source troubleshooting tool, sysdig, and the open source container security tool Falco. He is the co-author of a new book, Practical Cloud Native Security with Falco. Prior... Read More →


Wednesday February 1, 2023 9:30am - 9:35am PST
Room 6AB

9:35am PST

Keynote: Picture this! Solving Security Problems Visually with eBPF - Liz Rice, Chief Open Source Officer, Isovalent
eBPF is a wonderful platform for the next generation of security tools, but there can be a big gap between detailed events at the kernel level, and meaningful, understandable information that security and platform teams can act on. Let’s look at some of examples of graphs and visualizations that aggregate information collected through eBPF, that can help us answer security-relevant questions much more easily than wading through logs.

Speakers
avatar for Liz Rice

Liz Rice

Chief Open Source Officer, Isovalent
Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She is on the Board of OpenUK, and was Chair of the CNCF TOC in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →


Wednesday February 1, 2023 9:35am - 9:50am PST
Room 6AB

9:50am PST

Sponsored Keynote: From Google to NIST — The Future of Cloud Native Security - Zack Butcher, Founding Engineer in Product, Tetrate
Learn about the latest trends on cloud native security from creators of the NIST microservices standards. In this talk, Zack Butcher from Tetrate will dive into the driving forces behind the new standards of microservices security, how the standards are evolving, and what you must know about projects such as Istio & Envoy to get ahead of the curve.

Speakers
avatar for Zack Butcher

Zack Butcher

Founding Engineer in Product, Tetrate
Zack Butcher is a Tetrate founding engineer and co-author of Istio Up and Running (O’Reilly, 2019). One of the earliest engineers on Istio, Zack worked on its policy, telemetry, and networking. He helped design and implement the core abstractions Istio presents to users. Zack is... Read More →


Wednesday February 1, 2023 9:50am - 9:55am PST
Room 6AB

9:55am PST

Keynote: Learn by Hacking: How to Run a 2,500 Node Kubernetes CTF - Andrew Martin, CEO, ControlPlane & Andrés Vega, VP of Operations, ControlPlane
TAG Security has run a CTF at Cloud Native Security events since 2020, but with a twist: instead of dastardly black hat hackers duelling for the title of Ultimate Kuberninja, we’ve focused on helping everybody to hack, teaching approachable security principles to increase the industry’s level of cloud native security expertise in novel and engaging ways.   In this talk, Andrés and Andy detail their learnings, techniques, and often last-minute fixes needed to run Kubernetes CTFs with thousands of nodes, hundreds of cloud native hackers, and buckets of coffee.  During these distributed orchestration challenges the events have seen servers burned, scenarios shredded, and authentication bypassed in all sorts of nefarious ways by the willing and able players of the game.   In this talk we detail our experience and discuss:  - How to build a tumultuous and exciting CTF challenge - Why hands-on practice is the best way to ingrain security concepts - When automating a chaotic cluster pipeline doesn't scale - Why points don’t always win prizes - And how sharing knowledge helps us grow together 

Speakers
avatar for Andres Vega

Andres Vega

Vice President of Operations, ControlPlane
Andrés Vega is Vice President of Operations at ControlPlane focused on securing modern applications from supply-chain and runtime attacks with a zero trust, continuous security approach He is also an open source maintainer, contributor, and author.
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Wednesday February 1, 2023 9:55am - 10:10am PST
Room 6AB

10:10am PST

Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Saurabh Wadhwa, Senior Solutions Engineer, Uptycs
Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.
                                                       
When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.

This session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:
  • Why developer laptops are often an entry point for attackers—now more than ever                 
  • How to gather real-time "device integrity" or security hygiene checks for zero-trust access 
  • How to audit for malicious Chrome extensions or vulnerable software packages 
  • How to tie together identity and GitHub activity on the laptop with CI/CD actions


Speakers
avatar for Saurabh Wadhwa

Saurabh Wadhwa

Senior Solutions Engineer, Uptycs
Saurabh is a Senior Solutions Engineer at Uptycs focusing on securing cloud and container workloads. Saurabh has been passionate about working in the cybersecurity industry for the last 11+ years having worked in the UEBA, SIEM, Threat Intelligence, XDR, and CSPM spaces. He graduated... Read More →



Wednesday February 1, 2023 10:10am - 10:15am PST
Room 6AB

10:15am PST

Keynote: Closing Remarks - Emily Fox, Security Engineer, Apple; Liz Rice, Chief Open Source Officer, Isovalent; Brandon Lum, Software Engineer, Google
Speakers
avatar for Liz Rice

Liz Rice

Chief Open Source Officer, Isovalent
Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She is on the Board of OpenUK, and was Chair of the CNCF TOC in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →
avatar for Emily Fox

Emily Fox

Security Engineer, Apple
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 12 years to drive a cultural change where security is unobstructive, natural, and... Read More →
avatar for Brandon Lum

Brandon Lum

OSS Security Software Engineer, Google
Brandon loves designing and implementing computer systems (with a focus on Security, Operating Systems, and Distributed/Parallel Systems). Brandon is a Co-chair of the CNCF Security TAG, and as a part of Google's Open Source Security Team, he works on improving the security of the... Read More →


Wednesday February 1, 2023 10:15am - 10:20am PST
Room 6AB

10:30am PST

Coffee Break ☕
Wednesday February 1, 2023 10:30am - 11:00am PST
Halls 6CE

10:30am PST

Solutions Showcase
Wednesday February 1, 2023 10:30am - 6:45pm PST
Halls 6CE

11:00am PST

Cryptographic Agility: Preparing Modern Apps for Quantum Safety and Beyond - Natalie Fisher, VMware
In 2012, the vulnerability, HeartBleed, was discovered then patched in 2014. But because organizations were slow to respond hackers managed to steal 4.5 million healthcare records. In 2019 over 200,000 systems were still unpatched. Why is it difficult to change or update these protocols? IT organizations are not aware of the encryption they are using, which applications are using it, or how it is used and customers have no unified way to transition between cryptography standards, libraries, and manage cryptographic configuration and compliance. Recent advances in quantum computing and global government initiatives have prompted a new sense of urgency in migrating public key cryptography to quantum-safe standards. Modern and legacy apps will benefit from crypto agility schemes leveraging proxies, policy-driven configuration, and orchestrated management. The session will help to prepare enterprises of every size for the cryptographic migration to come -- no matter where your apps are deployed.

Speakers
avatar for Natalie  Fisher

Natalie Fisher

Senior Product Line Manager, VMware
Natalie is a Senior Product Line Manager in the Advanced Technologies Group within the Office of the CTO. A lifelong learner, she’s always been fascinated with emerging technology and the endless possibilities and solutions one could dream up. Having spent many years in product... Read More →



Wednesday February 1, 2023 11:00am - 11:35am PST
Room 608
  101 Track
  • Content Experience Level Any

11:00am PST

Identity Based Segmentation for a ZTA - Zack Butcher, Tetrate & Ramaswamy Chandramouli, National Institute of Standards and Technology
Zero Trust is all about replacing implicit trust based on the network -- traditional perimeter security and an "access is authorization" model -- with explicit trust based on identity and runtime authorization. This means applications must authenticate and authorize service communicate in addition to end users. This gives rise to patterns like identity aware proxies and the service mesh for enforcing access. We'll discuss a quick-and-easy definition for a what a "zero trust architecture" is and discuss how a common use case -- application communication from cloud to prem through a DMZ -- can be simplified with identity aware proxies (and policy!), leading to organizational agility.

Speakers
RC

Ramaswamy Chandramouli

Senior Computer Scientist, National Institute of Standards and Technology
Dr. Ramaswamy Chandramouli has over 36 years of professional experience in Information System design, development, and implementation with the last 24 years dedicated to computer security research. He is currently a Senior Computer Scientist at the Computer Security Division at National... Read More →
avatar for Zack Butcher

Zack Butcher

Founding Engineer in Product, Tetrate
Zack Butcher is a Tetrate founding engineer and co-author of Istio Up and Running (O’Reilly, 2019). One of the earliest engineers on Istio, Zack worked on its policy, telemetry, and networking. He helped design and implement the core abstractions Istio presents to users. Zack is... Read More →


Wednesday February 1, 2023 11:00am - 11:35am PST
Room 609

11:00am PST

Network Security at Scale: L3 Through L7 at Splunk - Mitch Connors, Aviatrix & Bernard Van De Walle, Splunk
What does it take to securely connect dozens of clusters across multiple cloud providers at Splunk scale, while not disrupting the agility that is required to compete in the modern marketplace? How do you balance security at L3 and L4 with the flexibility and identity needs of L7? Join us to explore Splunk’s networking stack, starting at multi-cloud VPCs for L3, and Istio for L4 and L7. We’ll also discuss how some of the pain points in this architecture are driving the new Istio Ambient design.

Speakers
avatar for Mitch Connors

Mitch Connors

Principal Software Engineer, Aviatrix
Mitch Connors is a Principal Software Engineer at Aviatrix, and serves on the Istio Technical Oversight Committee. Over the past 16 years, Mitch has worked at Google, F5 Networks, Amazon, an Industrial IoT startup, and State Farm Insurance, giving him a broad perspective on the needs... Read More →
avatar for Bernard Van De Walle

Bernard Van De Walle

Traffic Engineering Lead, Splunk
Bernard is a traffic engineer at Splunk. He is leading the Istio and service Mesh efforts as part of the traffic engineering team. Before this, Bernard had experiences with operations for large scale deployments of Kubernetes and reverse proxies such as Envoy and Nginx.



Wednesday February 1, 2023 11:00am - 11:35am PST
Room 612

11:00am PST

Standardization and Security - A Perfect Match - Ravi Devineni & Vinny Carpenter, Northwestern Mutual
How often have you scrolled through Netflix and had trouble finding something to watch? Or found yourself standing, staring at a kaleidoscope of flavors of ice cream at the grocery store? Choice is a luxury. We all prefer to have more options, not less. This is why ample choices are often considered a symbol of privilege. However, there comes a point when too many choices can start to hinder our decision-making ability. Too many choices can also hinder our security posture. At Northwestern Mutual, we’ve had multiple tools (choices) - Multiple systems for Source Code, Build, artifact storage, deployment etc. Furthermore, we had various patterns of development and templates, with teams left with the choice to pick “what’s best for them.” All the evidence indicated that all this choice was causing the teams to feel overwhelmed and hence creating inefficiency and increasing our time to market, leading to a paradox of choice. A Paradox of Choice with overabundance of options could lead to anxiety, dissatisfaction and many ways to exploit systems. So we decided to tackle this. There are several technical, cultural, and organizational implications to this. Join us as we share the story of how Northwestern Mutual improved our Cloud Security posture through standardization.

Speakers
avatar for Ravi Devineni

Ravi Devineni

Senior Director of Engineering, Northwestern Mutual
Ravi Devineni is a Senior Director of Engineering at Northwestern Mutual for a team responsible for DevOps, CI/CD and Open source tooling for the enterprise. Ravi is also an active speaker having spoken at several DevOps and Cybersecurity conferences. Previously Ravi worked at companies... Read More →
avatar for Vinny Carpenter

Vinny Carpenter

Vice President of Engineering, Northwestern Mutual
Vinny Carpenter is a Vice President of Engineering in Infrastructure and Cloud Services (ICS), leading the Cloud and DevOps Engineering organization at Northwestern Mutual (NM). Vinny is an accomplished and results-driven Technology Leader with over 30 years of experience and substantial... Read More →



Wednesday February 1, 2023 11:00am - 11:35am PST
Room 602/603
  Security Education + Teaming
  • Content Experience Level Any

11:00am PST

How to Secure Your Supply Chain at Scale - Hemil Kadakia & Yonghe Zhao, Yahoo
In this session we will present a high-level system that protects against attacks — like unauthorized access, exploiting known vulnerabilities, injecting malicious software — by integrating open source tools such as Grafeas, Sigstore, Screwdriver, Kyverno & Anchore. In short, providing a unified solution for securing various aspects of the software supply chain. As one of the top ten visited websites on the Internet, Yahoo's massive scale across hybrid cloud and mobile platforms makes the security of our brands paramount — especially in today's evolving software supply chain landscape. This talk will deep dive into our primary use cases of source code scanning, security misconfiguration detection, vulnerability management, and protecting K8s deployments using dynamic policies. Attendees will leave with a framework for successfully managing the same tools Yahoo uses to simplify the developer experience.

Speakers
HK

Hemil Kadakia

Principal Software Engineer, Yahoo
Hemil Kadakia has been leading the effort of software supply chain security at Yahoo and likes developing tools for making developers' lives easier. He has also been a contributor to open source projects like Grafeas, Kyverno & Grafeas-RDS.
avatar for Yonghe Zhao

Yonghe Zhao

Software Engineer, Yahoo
Yonghe Zhao is a Software Dev Engineer in the Paranoids group at Yahoo. He is responsible for designing & implementing security-related software systems at Yahoo. He uses Go, AWS, Ansible, Docker, Kubernetes, and PostgreSQL in his daily work.



Wednesday February 1, 2023 11:00am - 11:35am PST
Room 606/607
  Supply Chains

11:50am PST

Yes, Application Security Leads to Better Business Value. Learn How from Experts. - Larry Carvalho, RobustCloud; Hillary Benson, Gitlab; Kirsten Newcomer, Red Hat; David Zendzian, VMware
Cloud native technologies give organizations a much better toolset to gain the agility to meet business challenges. According to a CNCF survey, security is one of the top three challenges in migrating to cloud native architectures. Inadequate confidence in security leads to fewer innovative solutions. DevSecOps and Shift Left are security practices that ensure vulnerabilities are found much earlier in a development process, improving confidence to deploy cloud native applications. Larry Carvalho, Principal Consultant at RobustCloud, will moderate this session. Hillary Benson, from Gitlab, will highlight how cloud native technologies, paired with the right strategy and toolset, present an outsized opportunity to reduce unnecessary security risk drastically. Kirsten Newcomer, from Red Hat, will share how to holistically secure your platform and application and enable teams to build secure pipelines with security controls as close to the developer as they wish. David Zendzian, from VMware, will discuss how shifting left security outcomes can only partially translate into building new skills for the developer community. In this session, you will hear examples of companies using application security practices to reduce the risk of non-compliance and deliver innovative solutions.

Speakers
avatar for David Zendzian

David Zendzian

Head of Tanzu Global Field CISO team at VMware, VMware Tanzu
David has over 30 years Information Technology and Security experience and is the Head of VMware Tanzu Global Field CISO team.  David came to VMware/Pivotal from a stealth startup bank where he was CISO responsible for building the complete security program for a startup FDIC regulated... Read More →
avatar for Larry Carvalho

Larry Carvalho

Principal Consultant, RobustCloud
Larry Carvalho of RobustCloud LLC provides strategy and insight into the adaption of Edge and Cloud Computing technologies. He provides advisory services and works closely with customers and vendors to help all parts of the ecosystem understand cloud computing, map business goals... Read More →
avatar for Kirsten Newcomer

Kirsten Newcomer

Director, Cloud Security Product Management, Red Hat
Kirsten works closely with Red Hat’s many security professionals across the Red Hat portfolio of enterprise-ready open source offerings. Kirsten is a diversified software management professional with 15+ years of experience in security, application development and infrastructure... Read More →
avatar for Hillary Benson

Hillary Benson

Director, Product Management, Gitlab
Hillary Benson is the Director of Product Management for GitLab’s suite of security and data science offerings. Before GitLab, she held roles as a startup product executive, security practitioner, and intelligence professional with the National Security Agency. Hillary holds an... Read More →



Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 608
  101 Track
  • Content Experience Level Any

11:50am PST

On Establish a Production Zero Trust Architecture - Frederick Kautz, SPIFFE/SPIRE
Join Frederick Kautz in developing a sound strategy for a Zero Trust Architecture. We will start by developing a working definition of Zero Trust for inclusion in your organization's security policies, standards, and procedures. We'll then learn how to use various CNCF and other open source technologies to achieve this. The initial focus will be on cryptographic identities for workloads. We will then discuss defining controls that implement your organization's security policies. DevOps/DevSecOps organizational requirements must also be defined, including automation of the application and observability requirements to help your Security Operations Center know the health of your system and respond to threats. We will then discuss how to onboard legacy systems into your Zero Trust environment. Finally, we will have a short discussion on changing your organization's culture to adopt these technologies without bulldozing the valid concerns of your security experts or application architects.

Speakers
avatar for Frederick Kautz

Frederick Kautz

Steering Committee Member, SPIFFE/SPIRE
Co-Chair KubeCon + CloudNativeCon NA 2022, EU 2023, NA 2023 Co-Author of CNCF Cloud Native Security White Paper SPIFFE Steering Committee Member GitBOM Co-Creator and maintainer NSM Co-Creator and Committer Co-Author of Solving the Bottom Turtle https://spiffe.io/book/ X-Factor CNF... Read More →


Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 612

11:50am PST

What's a Zero-Trust Tunnel? Exploring Security and Simpler Operations with Istio Ambient Mesh - Jim Barton & Marino Wijay, Solo.io
One of the most common drivers for service mesh adoption is security compliance. Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. Service mesh platforms like CNCF's Istio project are growing in popularity as a vehicle for meeting these challenges. In September 2022, Google and Solo.io announced the release of Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It delivers an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. This talk will review the new sidecar-less architectural option available with Ambient. We'll discuss the two new complementary layers: a zero-trust tunnel (ztunnel) that secures Layer 4 connectivity, and a waypoint proxy that delivers Layer 7 security policies and behaviors. A demonstration will illustrate how these new components work together in practice.

Speakers
avatar for Jim Barton

Jim Barton

Field Engineer, Solo.io
Jim Barton is a Field Engineer for Solo.io whose enterprise software career spans 30 years. He has enjoyed roles as a project engineer, sales and consulting engineer, product development manager, and executive leader of tech startups. Prior to Solo, he spent a decade architecting... Read More →
avatar for Marino Wijay

Marino Wijay

Developer Advocate, solo.io
Marino leads the Developer Relations and Advocacy team at Solo.io. He is passionate about technology and modern distributed systems. He will always fall back to the patterns of Networking and the ways of the OSI. His career has been primarily focused on Data Center and Cloud Networking... Read More →



Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 609

11:50am PST

An Introduction to Cloud Native Capture the Flag - Andrew Martin & Andres Vega, ControlPlane
The Cloud Native Capture The Flag (CTF) is available to all in-person CloudNativeSecurityCon attendees.  In preparation to getting started with the activity, you are invited to attend an introductory session. Come join us in Room 615/616.

This session aims to introduce how to participate in CTF competition to those who are new to them. We will share our tips and tricks to completing these challenges and work through a practice scenario together.

Want to know more about the main CTF event? Setup, objectives, and assistance details can be found here.

Speakers
avatar for Andres Vega

Andres Vega

Vice President of Operations, ControlPlane
Andrés Vega is Vice President of Operations at ControlPlane focused on securing modern applications from supply-chain and runtime attacks with a zero trust, continuous security approach He is also an open source maintainer, contributor, and author.
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 615/616
  Capture The Flag
  • Content Experience Level Any

11:50am PST

More Than Just a Pretty Penny! Why You Need Cybersecurity in Your Culture - Callan Andreacchi & Michaela Flatau, Defense Unicorns
Data breaches, ransomware, and spear phishing, oh my! When cybersecurity attacks aren’t addressed properly, it can result in a loss of trust between companies and their customers. This can have a negative impact on the brand, revenue, and even customer loyalty. Humans will always be a part of cybersecurity and humans are bound to make mistakes. It’s not enough to educate your employees, you must empower your employees to not only identify social engineering tactics, but also admit and own their mistakes. When employees feel a personal connection to the company’s cybersecurity, the likelihood of a cyberattack decreases. Join Callan and Michaela to learn about how to integrate cybersecurity into the very fabric of your workplace culture, leading to identifying potential risks faster and in turn, resolving those risks quickly.

Speakers
avatar for Michaela Flatau

Michaela Flatau

Unicorn Collector, Defense Unicorns
Michaela Flatau is an enthusiast of all things workplace culture. She worked through every facet of HR during her six years as a civil servant for the Air Force, where her primary role was researching the tech industry’s workplace culture and bringing best practices to the government... Read More →
avatar for Callan Andreacchi

Callan Andreacchi

Mission Manager, Defense Unicorns
Callan Andreacchi conducted Defensive Cyber Security Assessments for the Department of the Air Force for four years. Assessments varied from full mission risk assessments to helping foreign partners build their initial defensive cyber programs. For the past two years, she has been... Read More →



Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 602/603
  Security Education + Teaming
  • Content Experience Level Any

11:50am PST

Package Transparency for WebAssembly Registries - Kyle Brown, SingleStore
WebAssembly (Wasm) is a significant advancement in the portability and security of code, but for Wasm to be useful we need a way to publish and distribute it. This presents a unique opportunity to correspondingly advance the state of the art in supply chain security. That's why the Bytecode Alliance, a Wasm-focused non-profit, is working on developing a new registry protocol for Wasm packages, with security at the center, called warg. Warg is designed to offer "Package Transparency" by building on verifiable data structures from the field of Certificate Transparency. This means that the entire state of a registry can be validated by monitors, replicated by mirrors, and operator compromise can easily be detected. Come attend the talk to learn more about it from two Registry SIG members and implementors!

Speakers
avatar for Kyle Brown

Kyle Brown

Software Engineer, SingleStore
Kyle Brown is a Software Engineer at SingleStore focusing on open source WebAssembly ecosystem development and database extensibility using WebAssembly. Kyle is working with the Bytecode Alliance on the Registry SIG.



Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 606/607
  Supply Chains

11:50am PST

So You Want to Run Your Own Sigstore: Recommendations for a Secure Setup - Hayden Blauzvern, Google
Sigstore, an open-source standard for signing and verifying artifacts, provides free-to-use services that provide identity-based certificates and auditable signatures through a transparency log. These services work well for FOSS, giving maintainers the tooling needed to create signed builds. However, enterprise organizations may have additional needs that are not addressed by the public instances. This could include availability requirements such as regionalization, data residency requirements, privacy concerns with a public log, or requiring policy controls for admitting entries into a log. This talk will discuss motivations for operating private Sigstore services and expectations on the operators. The talk will discuss differences in the threat modeling between public and private instances. Finally, the talk will cover the requirements for operating private instances, including operating a root trust store and the necessary security properties of a private certificate authority and transparency log.

Speakers
HB

Hayden Blauzvern

Software Engineer, Open Source Security Team, Google
Hayden is a software engineer on Google's Open Source Security Team, focused on making open-source software more secure. Hayden is a maintainer on the Sigstore project. Prior to working in open source, Hayden worked for Google Cloud Platform to provide cloud-based PKI.



Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 613/614
  Supply Chains

12:25pm PST

EmpowerUs Cloud Native Security Lunch
Gather with other Cloud Native Security Femmes/Trans/Women for a casual networking lunch. Grab your lunch from the Solutions Showcase and join us at the reserved tables.

Attendees who identify as FTW (Femmes/Trans/Women) and allies are welcome to celebrate and connect with one another as we honor and uplift ourselves and our community. We hope this time allows you to find new connections and build on existing ones as we share, listen, and uplift one another as we share stories and hold space for one another in this space and beyond.

Wednesday February 1, 2023 12:25pm - 1:55pm PST
Halls 6CE

12:25pm PST

Lunch 🍲
Wednesday February 1, 2023 12:25pm - 1:55pm PST
Halls 6CE

1:55pm PST

⚡ Lightning Talk: Software Dark Matter is the Enemy of Software Transparency - Santiago Torres-Arias, Purdue University
Software transparency has become the north star for many interested in software supply chain security. For instance, advocates of software bills of materials (SBOMs) believe that SBOMs provide the data layer that will allow software producers and consumers to achieve software transparency.  But there's an unrecognized impediment to achieving software transparency and to creating accurate and complete SBOMs: software dark matter. Software dark matter are files that are unregistered by a package manager, effectively invisible to many software composition analysis tools and vulnerability scanners. This software dark matter reduces the utility of security tools and complicates the quest for software transparency.  To understand the magnitude of the software dark matter problem, this project analyzed 350 popular Docker Hub images, quantifying the software dark matter percentage. The average popular container is approximately 30 percent dark matter. Using an average weighted by the number of files, the typical container is 60 percent dark matter.  The talk finishes with a call to avoid software dark matter in container images.

Speakers
avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor of Electrical and Computer Engineering, Purdue University
Santiago is an Assistant Professor at Purdue's Electrical andComputer Engineering Department. His interests include binaryanalysis, cryptography, distributed systems, andsecurity-oriented software engineering. His current researchfocuses on securing the software development lifecycle... Read More →


Wednesday February 1, 2023 1:55pm - 2:00pm PST
Room 602/603

1:55pm PST

Cloud Native Security Landscape: Myths, Dragons, and Real Talk - Edd Wilder-James & Loris Degioanni, Sysdig; Kim Lewandowski, Chainguard; Isaac Hepworth, Google; Randall Degges, Snyk
The open source security landscape is moving fast, and affects you at all parts of the software lifecycle, from creating open source, to consuming it, to remedying vulnerabilities and detecting threats at runtime. The sheer number of moving parts represents great progress, but challenging when it comes to knowing what to prioritize. Do you like GUAC with your SLSA? Are you equipped to handle the latest OSS vulnerabilities? This panel will discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include * From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about? * It's about the people, naturally: we're being told to "shift left" security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works? * What is real, what is myth? The field is full of hot takes, from grand ideas that won't take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?

Speakers
EW

Edd Wilder-James

VP Open Source, Sysdig
Edd’s career spans open standards, open source, and data analytics, in roles covering technology, content, business, and strategy. At Sysdig, his team is committed to growing and investing in the open source security and observability stacks, including Falco, Prometheus and OPA... Read More →
KL

Kim Lewandowski

Founder and Product, Chainguard
Kim Lewandowski — Co-Founder and Head of Product at Chainguard — is an engineer turned product manager. She started her career in the security space working for Lawrence Livermore Labs, and most recently worked for Google. She launched a number of cloud enterprise products and... Read More →
IH

Isaac Hepworth

Product Manager, Google
Isaac is a Google product manager working on software supply chain integrity within Google’s core infrastructure team, focusing on open source. In this role his work has supported Google’s contributions to OpenSSF's Sigstore, SLSA, and most recently GUAC. Over the last couple... Read More →
avatar for Loris Degioanni

Loris Degioanni

CTO, Sysdig
Loris Degioanni is the CTO and founder of Sysdig. He is also the creator of the popular open source troubleshooting tool, sysdig, and the CNCF runtime security tool Falco. Prior to founding Sysdig, Loris was one of the original contributors to Wireshark, the open source network analyzer... Read More →
avatar for Randall Degges

Randall Degges

Head of Developer Relations & Community, Snyk
Randall leads Developer Relations and Community at Snyk. He has been writing software for ~20 years and has an extensive background in building and growing technical products.


Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 608
  101 Track

1:55pm PST

Avoiding IAC Potholes with Policy + Cloud Controllers - Andrew Martin, ControlPlane
In large organisations, enabling and securing self-serve cloud infrastructure for teams hosting their applications on Kubernetes is hard. Most large organisations implement Enterprise Security Architectures featuring IAC pipelines with Policy as Code frameworks at the outset of their cloud journey, which are found to be not fit for purpose when teams use Kubernetes to provision infrastructure either natively, through services of type Loadbalancer, or using hosted cloud controllers such as Crossplane. In this talk, Rowan will demonstrate how infrastructure and security teams can use policy engines (Kyverno) to secure a model that uses Kubernetes native and hosted cloud controllers (such as Crossplane) to provision infrastructure. This model enables application teams to self-serve, whilst preventing the launch of insecure infrastructure and enforcing compliance and security requirements centrally. To ease adoption of the model, Rowan will open source an example library of policies integrated with OSCAL for commonly used services across AWS, enforcing controls aligned with NIST800-53 in a manner that can be audited by compliance teams, and simplifying the developer experience by enabling the dynamic generation of cloud resources with secure defaults.

Speakers
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 609

1:55pm PST

From the Cluster to the Cloud: Lateral Movements in Kubernetes - Yossi Weizman & Ram Pliskin, Microsoft
As K8s clusters usually reside in the cloud, access to a container in the cluster can be a foothold to the entire cloud workload. In this session, we’ll present novel techniques used in recent real-world attacks which allowed adversaries to move laterally from a container in a K8s cluster to external cloud resources. We'll start with inner-cluster lateral movement: We'll talk about K8s RBAC configurations that unexpectedly allowed inner-cluster lateral movement and were the root-cause of vulnerabilities in containerized apps. We'll discuss how one can identify such activities by native K8s tools. We'll continue to cluster-to-cloud lateral movement. The key concept in this area is cluster-to-cloud authentication. We'll introduce the various authentication methods used by the major cloud providers: Azure, AWS and GCP. All of the methods fall into one of these 3 buckets: Direct\modified access to IMDS, using K8s as an OIDC identity provider or storing credentials on the underlying nodes. Every authentication method comes with its default configuration, many of those unknowingly grant excessive permissions. We'll present real-world recent incidents of cloud environment takeovers which originated in K8s clusters. We'll explain how users can prevent and detect such activities.

Speakers
avatar for Yossi Weizman

Yossi Weizman

Senior Security Research Manager, Microsoft
Yossi Weizman is a Senior Security Research Manager at Microsoft Defender for Cloud. He has 12 years of experience in the security research field, starting in the Israeli military. In his current role, Yossi’s main focus is container security. Yossi holds a B.Sc. in Computer Science... Read More →
RP

Ram Pliskin

Principal Security Research Manager, Microsoft
Ram is a Principal Security research manager in the Cloud Security Research team at Microsoft. Ram gained his expertise serving more than a decade for the IDF Intelligence Corp, where he had hands-on experience in research and software development. He also led a team of security researchers... Read More →



Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 612
  Detections + Incidents + Response

1:55pm PST

OmniBOR: Bringing the Receipts for Supply Chain Security - Frederick Kautz, SPIFFE/SPIRE
Supply Chain requirements got you down? Getting an endless array of false positives from you ‘SBOM scanners’ ? Spending more of your time proving you don’t have a ‘false positive’ from your scanners than fixing real vulnerabilities in your code? There has to be a better way. There is. Come hear from Aeva and Ed about a new way to capture the full artifact dependency graph of your software, not as a ‘scan’ after the fact, but as an output of your build tools themselves. Find out when this feature is coming to a build tool near you.

Speakers
avatar for Frederick Kautz

Frederick Kautz

Steering Committee Member, SPIFFE/SPIRE
Co-Chair KubeCon + CloudNativeCon NA 2022, EU 2023, NA 2023 Co-Author of CNCF Cloud Native Security White Paper SPIFFE Steering Committee Member GitBOM Co-Creator and maintainer NSM Co-Creator and Committer Co-Author of Solving the Bottom Turtle https://spiffe.io/book/ X-Factor CNF... Read More →


Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 606/607
  Supply Chains
  • Content Experience Level Any

1:55pm PST

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller - Natalie Somersall, GitHub
Self-hosted GitHub Actions runners and Kubernetes are a natural fit, but there's not a lot of guidance on how to put the two together. The leading solution is actions-runner-controller, an open-source community project which provides a controller for autoscaling, ephemeral, and version-controlled compute. It does not, unfortunately, show off how to design and deploy it securely. Natalie leverages her experience building, securing, and advising others in regulated environments to highlight key places where security can be compromised unwittingly. Natalie will overview typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the "blast radius" of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.

Speakers
avatar for Natalie Somersall

Natalie Somersall

Senior Solutions Engineer, GitHub
Natalie is a senior solutions engineer at GitHub serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions - including detours into... Read More →



Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 613/614
  Supply Chains

2:00pm PST

⚡ Lightning Talk: A Secure Software Supply Chain for Open Policy Agency (OPA) Policies - Omri Gazitt, Aserto
Open Policy Agent (OPA) is gaining widespread acceptance as a mature decision engine for enforcing policies in a variety of domains, including Kubernetes admission control (Gatekeeper), configuration file policies (Conftest), and application / API authorization (Topaz). Indeed, OPA policies are becoming an integral part of the cloud-native software supply chain. Security and operations teams have tools for packaging and signing application artifacts, and they need the same capabilities for OPA policies. This lighting talk will describe how to build, tag, and sign OPA policies as OCI containers using the policy CLI, an open source tool that is part of the Open Policy Registry (OPCR) project. The policy CLI can be used to pull and push OPA policies OCI-compliant registries, such as OPCR, GHCR, Docker, or AWS Container Registry. Finally, OPA can now natively pull policy bundles from OCI artifact registries.

Speakers
avatar for Omri Gazitt

Omri Gazitt

Co-founder and CEO, Aserto
Omri is the co-founder/CEO of Aserto.com, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's... Read More →



Wednesday February 1, 2023 2:00pm - 2:05pm PST
Room 602/603
  ⚡Lightning Talks, Supply Chains
  • Content Experience Level Any
  • Presentation Slides Attached Yes

2:05pm PST

⚡ Lightning Talk: My First Supply Chain Security Pull Request as a 13-Year-Old - Neil Naveen, Middle School
I'm a 13-year-old who recently made my first contribution to Github's cli/cli security: https://github.com/cli/cli. Here are my PRs to https://github.com/cli/cli: https://github.com/cli/cli/pulls?q=author%3Aneilnaveen I'll cover how I found the issue, why it was a problem and how I fixed it. One day, I was watching my dad work and saw that he was creating PRs from the command line. I was amazed. I asked him how he could do that, and he explained that he was using a tool called gh-cli. Later, he talked about Dependabot and how it could be used to secure open-source supply chains. Dependabot alerts the project if a dependency is being updated or has a vulnerability. I considered adding Dependabot would increase the security of gh-cli. So I opened a PR to add Dependabot to cli.

Speakers
NN

Neil Naveen

8th grader, Middle School
Neil Naveen is an 8th grader in the US who is passionate about jiu-jitsu, solving Leetcode puzzles, and book author. https://neilnaveen.dev https://leetcode.com/neilnaveen/


Wednesday February 1, 2023 2:05pm - 2:10pm PST
Room 602/603
  ⚡Lightning Talks, Supply Chains
  • Content Experience Level Any

2:10pm PST

⚡ Lightning Talk: Cloud(Security)Events -- A Lightweight Framework for Security Reactions - Evan Anderson, VMware
With many different sources of security information, making sense of it all can be daunting. CloudEvents is a lightweight standard for recording and routing event information of all types which is easy to extend and supported by a variety of existing tools. In this presentation, Evan will illustrate how CloudEvents can help tie many different security tools together, from proactive supply chain vulnerability notifications to real-time monitoring and reactive data collection. In less than 5 minutes, we’ll show how CloudEvents is useful as a storage format, a data interchange, and as a mechanism for triggering serverless functions to drive remediation of detected issues. In the end, you’ll discover that CloudEvents is not difficult or mysterious, but a helpful tool in the security toolbox for cloud-native practitioners.

Speakers
avatar for Evan Anderson

Evan Anderson

Software Engineer, VMware, Inc
Evan Anderson is a software engineer focused on serverless and cloud-native software systems at VMware. He is one of the founders of the Knative project, and a member of the Knative Technical Oversight Committee. Prior to Knative, he worked on cloud at Google for 10 years. Outside... Read More →



Wednesday February 1, 2023 2:10pm - 2:15pm PST
Room 602/603

2:15pm PST

⚡ Lightning Talk: Securing Your Source Repositories - 5 Tips to Get Started! - Billy Lynch, Chainguard
Source Repositories are a critical piece of your software supply chain - they can hold deployment configs, application code, and much more! In this talk we'll cover key basics for getting started with securing repositories, how you can enable them in your own organizations, and next steps you can take.

Speakers
avatar for Billy Lynch

Billy Lynch

Staff Software Engineer, Chainguard
Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor to the Sigstore and Tekton, and maintains Tekton Chains, Sigstore Gitsign, and more! Prior to working at Chainguard, Billy worked... Read More →


Wednesday February 1, 2023 2:15pm - 2:20pm PST
Room 602/603
  ⚡Lightning Talks, 101 Track

2:45pm PST

Beyond Cluster-Admin: Getting Started with Kubernetes Users and Permissions - Tiffany Jernigan, VMware
We've all done it: working on our Kubernetes clusters with "cluster-admin" access, the infamous equivalent of "root". It makes sense when we're just getting started and learning about Pods, Deployments, and Services and we're the only one accessing the clusters anyway; but soon enough, we have entire teams of devs and ops and CI/CD pipelines that require access to our precious clusters and namespaces. Are we going to YOLO and give them our admin certificate, token, or whatever else we use to authenticate? Hopefully not! In this talk, we're going to look at how to implement users and permissions on a new Kubernetes cluster. First, we'll review various ways to provision users, including certificates and tokens. We'll see examples showing how to provision users in both managed and self-hosted clusters, since the strategies tend to differ significantly. Then, we'll see how to leverage RBAC to give fine-grained permissions to these users. We'll put emphasis on repeatability, seeing each time how to script and/or generate YAML manifests to automate these tasks.

Speakers
avatar for Tiffany Jernigan

Tiffany Jernigan

Developer Advocate, VMware
Tiffany is a senior developer advocate at VMware and is focused on Kubernetes. She previously worked as a software developer and developer advocate (nerd whisperer) for containers at Amazon. She also formerly worked at Docker and Intel. Prior to that, she graduated from Georgia Tech... Read More →



Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 608
  101 Track

2:45pm PST

Zero Trust Workload Identity in Kubernetes - Michael Peters, Red Hat
Zero Trust principles proscribe that no interactions between services are to be done with any implicit trust. Most current solutions to explicit authorization involve passwords or secret keys, but it's almost impossible to count the number of security breaches that happen because service passwords or keys are improperly stored, not rotated frequently enough or exposed during rollouts. Every new service added has the potential to exponentially complicate how we secure and deploy those secrets. But what if there was a simpler solution? What if we didn't need those secrets at all? What if the authorization was tied to the workload's identity itself? This is the goal of SIFFE (the spec) and Spire (the implementation). In this talk we'll show how to implement a Zero Trust system that uses workload identity across a service mesh in Kubernetes to provide explicit authorization between services. We'll explore centralized policy enforcement between those services as well as integrations with up and coming projects like Keylime (for identity tied to hardware attestation) and Sigstore (for identity during software builds).

Speakers
avatar for Michael Peters

Michael Peters

Principal Engineer, Red Hat
Michael Peters is a Principal Engineer in Emerging Technologies in Red Hat's Office of the CTO. He is a senior systems engineer and programmer with an emphasis on DevOps, Security, and Operability and is one of the current maintainers of the Keylime project. His experience in both... Read More →



Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 609

2:45pm PST

From Illuminating to Eliminating Crypto Jacking Techniques in Cloud Native - Mor Weinberger, Aqua Security
Ever since cryptomining had emerged as a novel promising digital currency technology, its evil twin cryptojacking has gained popularity and become a major type of attack. Threat actors consider this attack as a low hanging fruit which allows them to easily cash out their attack, since one can easily convert compute power into digital coins. Moreover, defenders often mistakenly perceive this attack as a noisiness rather than an attack that allows to freely run remote code on your server. At first threat actors deployed cryptominers on unpatched servers and targeted browsers. Today attackers focus on the cloud native, including exploiting containers, Kubernetes, CI/CD and SCM platforms. In this Talk, we’ll explore the key concepts and techniques related to the evolvement of cryptomining and also explain on how to proactively protect your environment with open-source tools and approaches that will help you strengthen your security starting from static analysis and up to runtime protection. Below are some of the topics we shell include:
  • Reviewing of attacks, techniques & exploits. 
  • The main challenges threat actors face and overcome, how they maximize their gain and conceal their attacks 
  • Finally, we will present measures to mitigate and strengthen your environments

Speakers
avatar for Mor Weinberger

Mor Weinberger

Staff Supply Chain Security Engineer, Aqua Security
Mor is a Staff Supply Chain Security Engineer at Aqua Security with vast experience in analyzing cloud native security and supply chain threats and developing solutions to defend against them. Mor recently worked alongside CIS to co-create the industry’s first formal guidelines... Read More →



Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 612
  Detections + Incidents + Response
  • Content Experience Level Any

2:45pm PST

Demystifying Zero-Trust for Cloud Native Technologies - Kishore Nadendla, TIAA; Mariusz SABATH, IBM Research; Asad Faizi, Eskala.io; Aradhna Chetal, CNCF Security TAG; Philip Griffiths, NetFoundry
A Cloud-native platform empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, distributed applications and services, and supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud-native network environments combined with the rapidly escalating and becoming nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. Adopting the Zero-Trust Methodology for cloud-native applications must be incorporated and aligned as part of the Cloud Native Maturity model. This panel discussion will focus on “Zero-Trust Principles, Concepts and implementation approach for cloud-native applications” for the organization's assets 1) User, 2) Devices, 3) Networking, 4) applications, 5) Data for the following Zero Trust building blocks and to provide implementation guidelines. 1. Identity - Device and Human 2. Policy - Administration and Enforcement 3. Continuous Assessments - Evaluations and Monitoring 4. Always secure

Speakers
avatar for Aradhna Chetal

Aradhna Chetal

Managing Director - Cloud Security; Co-Chair CNCF, CNCF Security TAG
Visionary & Dynamic CISO with demonstrated success in driving Cyber & digital transformation strategies. Implementing Security at speed of Cloud, Conveying complex security topics to a variety of audiences from CEO to security engineers & developers. Transformational management style... Read More →
KN

Kishore Nadendla

Sr Lead Engineering Manager - Cloud Security, TIAA
Mr. Nadendla is Sr Lead Engineering Manager at TIAA at Charlotte, NC. Being part of the Cloud Security team, he has been involved in many future state implementations with Cloud Native technologies with Secure Service Mesh , Zero Trust and Supply Chain Security using a Hybrid Clo... Read More →
avatar for Mariusz Sabath

Mariusz Sabath

Senior Software Engineer, IBM Research
Mr. Sabath is a Senior Software Engineer at the IBM T. J. Watson Research Center in Yorktown Heights, NY. Mr. Sabath joined IBM Research in 1997, and since then, he has led several development projects in the area of monitoring, reporting, and performance analysis. His research interests... Read More →
AF

Asad Faizi

Founder, CEO, Eskala.io
Seattle based entrepreneur and technologist, and founder of multiple startups. Over 20 years experience at senior level technical positions at large enterprises including Microsoft, PayPal, Intel Corporation and Netscape, and startups. 10+ years experience with Cloud and Cloud Native... Read More →
PG

Philip Griffiths

Head of Advocacy, NetFoundry
Currently working as VP Global Head of Biz Dev for NetFoundry, to drive customer success and transformation by embedding private, Zero Trust, programmable networking into any cloud, device, host or application. Prior to this I was working as VP and GM EMEA, as well as EMEA Partner... Read More →


Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 602/603
  Security Education + Teaming

2:45pm PST

Unpacking Open Source Security in Public Repos & Registries - Ben Hirschberg, ARMO
The container ecosystem has exploded in the decade since it's been introduced, with containers becoming the backbone for the way be package, deploy, orchestrate, schedule & operate our production applications. It's no surprise then, that so many public facing resources have popped up over the years, both complementary open source projects & public registries that aggregate commonly used container images. In this talk we will unveil data from first of its kind research conducted by scanning the most popular and widely adopted open source projects––from Grafana to Prometheus, Lens, Helm, ArgoCD and others to the public registries from which we pull our base images––from DockerHub, Quay, to GCR, & ECR. We will share how these public-facing resources leveraged by practically all developers stack up against common compliance frameworks - CIS, MITRE ATT&CK®, NIST, NSA-CISA, the most common misconfigs, prevalence of well-known CVEs (through a Log4J example) with a look at the stats & hard numbers, and any other red flags you need to be aware of when leveraging public resources. We will wrap up with a risk analysis and scoring of the resources, highlight the risks to pay attention to, & provide some best practices to keep your systems & ops safe in this evolving security landscape.

Speakers
avatar for Ben Hirschberg

Ben Hirschberg

Co-Founder, ARMO
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced... Read More →



Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 613/614
  Supply Chains
  • Content Experience Level Any

2:45pm PST

🦝 Let’s Talk Software Supply Chains with TAG Security - Michael Lieberman, Kusari
The supply chain security working group has been working to provide guidance and resources for projects looking to improve their supply chain security. In this talk, we will discuss the outputs of this working group, including the Software Supply Chain Security Whitepaper, catalog of supply chain compromises, and our reference architecture for a secure supply chain. We will also discuss our recent survey about supply chain security, and have interactive discussions about next steps for this working group. Bring your questions and ideas about supply chain security!

Speakers
avatar for Michael Lieberman

Michael Lieberman

CTO, Kusari
Michael Lieberman is an engineer and architect focused on technology transformation. He applies his expertise to use cases where privacy and security are paramount. He has been focused on work within the software supply chain security space. He is an OpenSSF SLSA steering committee... Read More →


Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 606/607
  Supply Chains

3:20pm PST

Coffee Break ☕
Wednesday February 1, 2023 3:20pm - 3:50pm PST
Halls 6CE

3:50pm PST

Who Are You? I Really Want to Know… the Magic Behind OIDC - Eddie Zaneski, Chainguard
Open ID Connect, or OIDC, is a mechanism for identity authentication. It is built on top of OAuth 2.0 and is used to establish and verify the identity of a user or service. OIDC is used throughout the Cloud Native world for workload identity federation. This allows your CI pipeline to obtain an API token for your cloud provider without the need to provision long-lived secrets. In this talk, you will learn the ins and outs of how OIDC works. You'll understand the spec and how you can use machine identities to secure your workloads. You'll also see examples of what's possible with OIDC from open source projects like Kubernetes, SPIFFE/SPIRE, and Sigstore.

Speakers
avatar for Eddie Zaneski

Eddie Zaneski

Software Engineer, Chainguard
Eddie lives in Denver, CO with his wife and dog. He loves open source and works on the Kubernetes and Sigstore projects. When not hacking on random things you'll most likely find him climbing rocks somewhere.



Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 608
  101 Track
  • Content Experience Level Any

3:50pm PST

Securing User to Service Access in Kubernetes - Maya Kaczorowski & Maisem Ali, Tailscale
Kubernetes makes it easy to run and scale your microservices, and Kubernetes automatically assigns the pods running your service an IP address and a DNS name for discovery and routing. Network security concerns for Kubernetes, however, seem to focus on user access to the control plane, using a bastion; or on service-to-service communication within a cluster, using a service mesh. So how should your development team secure access to the internal services you’re running on Kubernetes — is it enough to just use Kubernetes Ingress and a web proxy? In this talk, we’ll focus on the networking and security questions you should consider when exposing Kubernetes services to your users, including authentication and authorization, load balancing, traffic filtering, and encryption. We’ll discuss different options you have for managing access to these services, using Kubernetes Ingress, Kubernetes load balancer objects, service meshes, web proxies, IPsec, and WireGuard. You’ll come away with a better understanding of how to give service access to users, and how these complement other network solutions you might already have in your cluster.

Speakers
MK

Maya Kaczorowski

Head of Product, Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →
MA

Maisem Ali

Member of Technical Staff, Tailscale
Maisem is a Member of Technical Staff at Tailscale, building secure human-scale networks for everyone. He was previously at VMWare and Google working on Kubernetes Control Plane management at VMWare and Google before that. Prior to Google, he was at Microsoft providing Just-in-Time... Read More →



Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 609

3:50pm PST

Get Your Security Priorities Straight! How to Identify Workloads Under Real Threat with Context - Ben Hirschberg, ARMO & Arie Haenel, Intel
Is a privileged container a security threat? Should you spend time defining a pod so it can run with a read-only filesystem? These and similar questions are raised constantly by multiple authors and projects. In most cases, there is a good reason behind these questions. However, the difference between a potential threat and a real one is far from self-explanatory and highly depends on the circumstances to differentiate between real threats. This is where the answer lies and we are presenting a security prioritization system for Kubernetes workloads that is based on the MITRE framework and its categorization. This system is built upon data aggregated from a high volume of security controls, that cover multiple projects, structured in a way that makes it easy to find contextual information about different problems. We are going to present the algorithm behind the prioritization engine which is able to calculate the security exposures score for a diversity of Kubernetes workloads. We will then review the results based on real production clusters, and how they fair against real security analysis, enabling anyone to differentiate between actual threats that should be mitigated quickly and those we can be less concerned about.

Speakers
avatar for Ben Hirschberg

Ben Hirschberg

Co-Founder, ARMO
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced... Read More →
AH

Arie Haenel

Principal Engineer, Intel
Arie Haenel is a Principal Engineer at Intel, where he leads ASSERT, an Offensive Security Research team. He has over 20 years of professional experience, in security research and security product development on a vast number of platforms, at Intel, Cisco and NDS. In his spare time... Read More →


Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 612

3:50pm PST

Security as Code: A DevSecOps Approach - Xavier René-Corail, GitHub
Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Finally, we share the lessons learnt from offering security advice to 6 open source projects that have joined our free office hours.

Speakers
avatar for Xavier René-Corail

Xavier René-Corail

Senior Director, Security Lab, GitHub
Hi! I'm the Senior Director of the GitHub Security Lab. My mission is to inspire the open source community, security researchers, and developers to secure open source software through better security practices. Prior to GitHub, I was the Head of Developer Advocacy at Semmle, acquired... Read More →



Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 602/603
  Security Education + Teaming

3:50pm PST

How Do You Trust Your Open Source Software? - Naveen Srinivasan, Endor Labs & Brian Russell, Google
Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF https://github.com/ossf Scorecard https://securityscorecards.dev. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.

Speakers
avatar for Naveen Srinivasan

Naveen Srinivasan

Software Engineer, Endor Labs
Naveen contributes to fun OSS projects like https://github.com/ossf and other supply chain security projects. http://github.com/naveensrinivasan Naveen was awarded Google Peer Bonus award for 2021 and 2022 for his OSS contributions.
avatar for Brian Russell

Brian Russell

Program Manager, Google
Brian is a Product Manager on Google’s Open Source Security Team. He focuses on software supply chain security and is actively involved in the OpenSSF Scorecards project. In his spare time, Brian enjoys 3D printing and Atari video game programming.


Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 613/614
  Supply Chains
  • Content Experience Level Any

3:50pm PST

Verifiable GitHub Actions with eBPF - Jose Donizetti & Itay Shakury, Aqua Security
GitHub actions have been one of the most popular ways to build and release software, with recent developments in supply chain security it became a major target for malicious attacks. A couple of years ago a widespread hack to codecov, a popular service prevalent in build pipelines, caught the industry’s attention. In response, a new solution to protect the build pipeline was created on top of Tracee, OSS Runtime Security solution, and introduced the concept of profiling with eBPF and verifying software builds. In this talk we will present that solution and explore the lessons learned in the past two years since the initial release.

Speakers
JD

Jose Donizetti

Open Source Engineer, Aqua
Jose Donizetti is an OpenSource Engineer at Aqua working on projects like Tracee and Trivy. In the past he was running thousands of redis at Shopify platform caching team.
avatar for Itay Shakury

Itay Shakury

VP Open Source, Aqua Security
Itay Shakury is the VP of Open Source at Aqua Security, where he leads engineering for open source, cloud native security solutions. Itay has some 20 years of professional experience in various software development, architecture and product management roles. Itay is also a CNCF Cloud... Read More →



Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 606/607
  Supply Chains

4:40pm PST

Cloud Native Security 101: Building Blocks, Patterns and Best Practices - Rafik Harabi, Sysdig
Moving applications to the cloud promises agility, innovation and better time to market. On the other hand, securing cloud native applications is a multidimensional challenge involving different teams, workflows and different infrastructure application layers. You may be disrupted by new acronyms such as: CWPP, CSPM, KSPM, ... In this talk, we will explain those acronyms and dive into the foundation of cloud native security by discovering the different attack vectors and areas to protect. Then, we will expose common patterns, workflows and best practices to implement a continuous security practice to keep innovating without sacrificing security. Throughout the talk, we will detail the different teams/personas involved during the lifecycle of a cloud native application and the workflow to implement so they can work in tandem to deliver the best class security platform. This talk will be focusing on patterns and best practices with few tools mentioned.

Speakers
avatar for Rafik Harabi

Rafik Harabi

Senior Solutions Architect, Sysdig
Rafik has more than 15 years of tech and internet industry experience. Currently, he is a Senior Solution Architect devoted to helping customers secure their cloud native platforms and applications. Before joining Sysdig, he was responsible for executing go-to cloud programmes in... Read More →



Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 608
  101 Track
  • Content Experience Level Any

4:40pm PST

Improving Secure Pod-to-Pod Communication Within Kubernetes Using Trust Bundles - Thomas Edward Hahn, TCB Technologies, Inc & Mark Hahn, Qualys
New features are being added to Kubernetes which allow for roots of trust to be specified for applications on a cluster. These mechanisms are being added as “trust bundles” (or trust anchor sets). We demonstrate the updates to our previous work in creating convenient mechanisms to provide certificates to every pod, allow pods access to them and use them for mutual authentication. Our work leverages work being done by the cert-manager project, the SPIFFE project and KEP-3257 for trust anchor sets to automate the creation of TLS certificates for every pod and establish patterns for mTLS. Finally, we compare and contrast this to current methods for providing cluster communication security (service meshes) and present areas for refinement. This is a significant rework of our previous presentation and software to work with changes to the Kubernetes Ecosystem as the concepts have been refined and evolved.

Speakers
avatar for Ted Hahn

Ted Hahn

Site Reliability Engineer, TCB Technologies, Inc
Ted Hahn is an SRE for hire working on planet-scale distributed systems.
avatar for Mark Hahn

Mark Hahn

Solutions Architect, Qualys
Mark Hahn is Qualys’s Solutions Architect for Cloud and DevOps Security. In this role he works with Qualys’s clients to ensure that cloud applications and infrastructure are secure and reliable. Mark uses DevSecOps and Site Reliability Engineering practices to ensure that software... Read More →



Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

4:40pm PST

Finding the Needles in a Haystack: Identifying Suspicious Behaviors with eBPF - Jeremy Cowan & Wasiq Muhammad, Amazon Web Services
As the popularity of Kubernetes has grown, so has its appeal as a target. In an increasingly hostile environment, the ability to quickly flag suspicious behaviors and investigate and identify their source is becoming crucial. In this talk you will learn how AWS is using eBPF to identify a variety of security risks, e.g. communication with known command and control systems, Tor clients, cryptocurrency miners, and other malicious activity. You will also hear why AWS put eBPF above other options and the lessons they learned along the way.

Speakers
avatar for Jeremy Cowan

Jeremy Cowan

Developer Advocate Manager, Amazon Web Services
Jeremy Cowan, Developer Advocate Manager. Jeremy has been a huge proponent of containers since 2016 when containers we beginning to emerge as a reasonable way to package and run applications. Since joining AWS in 2015, Jeremy has been a Solutions Architect, Container Specialist, Developer... Read More →
WM

Wasiq Muhammad

Principal Security Engineer, Amazon Web Services
Muhammad Wasiq, Principal Security Engineer. Muhammad Wasiq currently researches and develops threat detection capabilities for Amazon GuardDuty. He has worked on multiple areas of Information Security. Lately he has been spending a good chunk of his time on container threat landscape... Read More →



Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 612
  Detections + Incidents + Response

4:40pm PST

Security Does Not Need to Be Fun: Ignoring OWASP to Have a Terrible Time - Dwayne McDaniel, GitGuardian
Everyone loves getting security exactly right, every time for their applications. Identifying issues and possible gaps early in the design phase makes implementing security best practices a breeze. No doubt you have been working safely, employing checklists and testing throughout the code delivery process. As hard as it might be to imagine, some teams are actively struggling with security throughout the SDLC. For folks who might not have security completely honed in, it can be overwhelming to even know how to start thinking about security for your web applications. Fortunately, there is an awesome nonprofit community of security-focused professionals who have done a lot of work making it straightforward to correctly design and implement secure apps: Open Web Application Security Project, aka OWASP! This talk will guide you through various tools OWASP makes freely available to test your application and make sure your apps stay secure.

Speakers
avatar for Dwayne McDaniel

Dwayne McDaniel

Security Developer Advocate, GitGuardian
Dwayne has been working as a Developer Relations professional since 2015 and has been involved in the wider tech community since 2005. He loves sharing his knowledge by giving talks, and he has done so at over a hundred events worldwide. Dwayne currently lives in Chicago, and outside... Read More →



Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 602/603
  Security Education + Teaming
  • Content Experience Level Any

4:40pm PST

Securing Diverse Supply Chains Across Interconnected Systems - Wayne Starr, Defense Unicorns & Aaron Creel, SpaceX
Working within large software systems can make it difficult to determine the full scope of software, libraries and tooling contained within a diverse set of components, often maintained across separate teams and departments. Security teams must become familiar with a wide range of packaging technologies and practices, and often manually aggregate information to make determinations on where vulnerabilities may be present and how to mitigate them. In this talk, we will share how SpaceX is solving this through a layered application of Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines. This integration has allowed them to reduce the cycle time for developers to respond to potential vulnerabilities, and allowed them to more efficiently prioritize how developers work across projects.

Speakers
WS

Wayne Starr

DevOps Engineer, Defense Unicorns
Wayne graduated from Rochester Institute of Technology in 2016 and commissioned into the United States Air Force, joining the Defense Innovation Unit. There, he worked as a security engineer for the first Air Force Software Factory (Kessel Run), helping reduce cycle time for delivery... Read More →
AC

Aaron Creel

Security Executive & Advisor, SpaceX
Aaron is a security executive with more than 20 years experience in compliance and security policy across both government and commercial sectors. He began his career in the US Coast Guard and has worked in a wide range of roles throughout the security domain, being selected as a Class... Read More →



Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 606/607
  Supply Chains

5:15pm PST

Sponsor Booth Crawl
Join us onsite for drinks and appetizers, fun, and conversations with old and new friends in the Solutions Showcase. Explore exhibit booths to learn more about the latest technologies, browse special offers and job posts, and much more.

In order to facilitate networking and business relationships at the event, you may choose to visit a third party’s booth. You are never required to visit third party booths. When visiting a booth or by participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), and details about the sponsored content or resources you interacted with. If you choose to interact with a booth or access sponsored content, you are explicitly consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies.




Wednesday February 1, 2023 5:15pm - 6:45pm PST
Halls 6CE
 
Thursday, February 2
 

7:30am PST

Continental Breakfast 🥐
Thursday February 2, 2023 7:30am - 9:00am PST
6ABC Lobby

7:30am PST

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Attendees will go through Health + Safety on the 6th floor of the Seattle Convention Center to show proof of vaccination or negative COVID-19 test and pick up your badge. 

Thursday February 2, 2023 7:30am - 4:30pm PST
6ABC Lobby

9:00am PST

Keynote: Opening Remarks - Liz Rice, Chief Open Source Officer, Isovalent
Speakers
avatar for Liz Rice

Liz Rice

Chief Open Source Officer, Isovalent
Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She is on the Board of OpenUK, and was Chair of the CNCF TOC in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →


Thursday February 2, 2023 9:00am - 9:05am PST
Room 6AB

9:05am PST

Keynote: Panic in San Francisco: The Critical Vulnerability That Wasn't - Shane Lawrence, Staff Infrastructure Security Engineer, Shopify
In October, the OpenSSL team found a critical vulnerability in an open source library used by millions. They warned that they would disclose the bug and release patch a week later. Their early warning and quick resolution were commendable, but in the intervening days a flurry of speculation and concern set the blogosphere ablaze and Twitter atalking. On release day, some websites promising to report details of the vulnerability struggled to keep up with the traffic as herds of security specialists, developers, and sysadmins-turned-devops-turned-platform-engineers refreshed the page in anticipation.  When details became available, many of us started to threat model the bug, evaluating how it might be used to harm our sytems. And most of us came to the same conclusion: it couldn't. The panic subsided, and the distraction arguably cost more than an exploit could have.  In this talk, Shane will summarize the vulnerability and some of his team's efforts to prepare for and respond to it, then consider lessons learned from the experience. Attendees will hear suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats so they can be prepared for the next vulnerability, whether it turns out to be a major risk or none at all.

Speakers
avatar for Shane Lawrence

Shane Lawrence

Staff Infrastructure Security Engineer, Shopify
Shane is a Staff Infrastructure Security Engineer at Shopify, where he's working on a multi-tenant platform that allows developers to securely build scalable apps and services for crafters, entrepreneurs, and businesses of all sizes.


Thursday February 2, 2023 9:05am - 9:20am PST
Room 6AB

9:20am PST

Sponsored Keynote: OpenClarity: A Community-Led Approach to Cloud-Native Application Security - Sarabjeet Chugh, Senior Director, Global Head of Product-Led Growth, Cisco
The complexity and distributed nature of modern apps have increased the number of attack vectors. As more mission critical workloads move to cloud native architectures, there is an urgent need to protect new attack surfaces that arise. Yet, there is no single commercial tool that can comprehensively secure cloud native apps. Developers need flexible and extensible tools that are cloud native, and not a bolt on from the legacy world. And because no one knows more about what developers need than developers, it makes sense to come together as a community to create tools that developers love. Security for developers by developers. That’s what the OpenClarity suite of OSS offers - a comprehensive solution to cloud native security. Come hear all about how Cisco is leading the charge on community-powered innovation in cloud native security, AI/ML, API security, observability, network automation, and more.

Speakers
avatar for Sarabjeet Chugh

Sarabjeet Chugh

Senior Director, Global Head of Product-Led Growth, Cisco
Sarabjeet Chugh is the Global Head of Product-Led Growth for Panoptica and Calisti products at Cisco’s business incubation group. He obsesses over delightful developer experience for his products and loves to build engaging content that provides value to users and engineers community... Read More →


Thursday February 2, 2023 9:20am - 9:25am PST
Room 6AB

9:25am PST

Keynote: It Takes a Community to Raise a Conference: From Security Day to CloudNativeSecurityCon - Emily Fox, Security Engineer, Apple
Our baby colo has grown up and ventured out on its own! How did this happen? They grow up so fast!  In less than 4 years we’ve held 7 events in Europe and North America — reaching thousands of practitioners online and in person.  All from a community member’s idea and the passionate volunteers that pulled together to make it real. Emily will share her experience coordinating Security Day - now grown into CloudNativeSecurityCon - and her aspirations for the future of this conference and cloud native security.

Speakers
avatar for Emily Fox

Emily Fox

Security Engineer, Apple
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 12 years to drive a cultural change where security is unobstructive, natural, and... Read More →


Thursday February 2, 2023 9:25am - 9:40am PST
Room 6AB

9:40am PST

Keynote: Back to the Future: Next-Generation Cloud Native Security - Matt Jarvis, Director of Developer Relations, Snyk
This talk will be a look into one possible future, taking into account multiple strands of emerging technology, and viewed through an almost certainly subjective lens of folks who’ve both been around through multiple technology iterations over the last decade or more and have the t-shirts and scars to prove it. We’ll probably be wrong, but we might get some things right, and we aim to at least be thought provoking. An eye on the future over the hill is always a good idea in our humble opinion, and thinking about those propositions can often engender change in the present !

Speakers
avatar for Matt Jarvis

Matt Jarvis

Director, Developer Relations, Snyk
Matt Jarvis is a Director of Developer Relations at Snyk. Matt has spent more than 15 years building products and services around open source software, on everything from embedded devices to large scale distributed systems. Most recently he has been focused on the open cloud infrastructure... Read More →


Thursday February 2, 2023 9:40am - 9:55am PST
Room 6AB

9:55am PST

Sponsored Keynote: Trust and Risk in the Software Supply Chain - Emmy Eide, Director, Product Security, Red Hat
Building a trusted software supply chain that minimizes risk starts at the very beginning of the development process and continues through the application life cycle. Administering security tests at the end of the development and production cycle or patching running applications is counterproductive to how cloud-native applications are built and secured. Just as automation is key for cloud native development, it’s also critical for cloud native software supply chain security. 
In this talk, we will explore balancing trust and risk throughout the entire supply chain using open source projects. We will look at why trusted supply chains are necessary, what it means to reduce risk continuously, and how Red Hat is building trust in its own software supply chain using open source technologies.

Speakers
avatar for Emmy Eide

Emmy Eide

Director, Red Hat Product Security - Supply Chain, Red Hat
Emmy Eide started at Red Hat in May 2021, forming and then leading the group responsible for software supply chain security at Red Hat. Eide is from the Pacific Northwest in the United States and has been leading in security since 2011.



Thursday February 2, 2023 9:55am - 10:00am PST
Room 6AB

10:00am PST

Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google
We've made a lot of progress in the realm of supply chain security in recent years! However, there is still much to do. A lot of efforts have been put into developing the "producing" aspects of the Software Supply Chain - SLSA, Tekton (and other build systems), Software Bill of Materials (SBOM). This has led to a much higher fidelity security metadata than we've ever seen. As we move forward, the "consuming" aspects of the Software Supply Chain will need to be developed.

Policy, Aggregation and Synthesis are key aspects of this side of the problem. We will share some ongoing open source effort to address them and highlight gaps within the space that need to be filled.

Speakers
avatar for Brandon Lum

Brandon Lum

OSS Security Software Engineer, Google
Brandon loves designing and implementing computer systems (with a focus on Security, Operating Systems, and Distributed/Parallel Systems). Brandon is a Co-chair of the CNCF Security TAG, and as a part of Google's Open Source Security Team, he works on improving the security of the... Read More →



Thursday February 2, 2023 10:00am - 10:15am PST
Room 6AB

10:15am PST

Sponsored Keynote: Kubernetes is the Perfect Platform for Enforcing Zero Trust Security - Fei Huang, VP Security Product Strategy, SUSE
Zero Trust security is a hot topic these days, in more than just cloud native deployments. But with most new applications and infrastructure development being done with cloud native tools and infrastructure, zero trust is the single most critical security strategy that should be employed to secure Kubernetes environments.

In this talk, Fei Huang, VP of Security Strategy at SUSE and co-founder of NeuVector, talks about what is a zero trust strategy built around cloud native, and where zero trust protections can be enforced with examples from the ecosystem.

Speakers
avatar for Fei Huang

Fei Huang

VP Security Product Strategy, SUSE
Fei Huang has a rich history in technology, including founding 2 startups, Sr. Architect / Director at Trend Micro, CloudVolumes, and VMware, co-founder of NeuVector, and currently VP of Security Strategy at SUSE. Fei holds several patents in security, virtualization and software... Read More →


Thursday February 2, 2023 10:15am - 10:20am PST
Room 6AB

10:20am PST

10:30am PST

Coffee Break ☕
Thursday February 2, 2023 10:30am - 11:00am PST
Halls 6CE

10:30am PST

Solutions Showcase
This is the place to network, meet up, and learn more about companies that sponsor this event.

Thursday February 2, 2023 10:30am - 4:00pm PST
Halls 6CE

10:30am PST

Capture The Flag Experience
The Capture The Flag (CTF) experience runs concurrently to CloudNativeSecurityCon North America 2023!

To get started, either visit Room 615/616 or send a message to the CTF team via the #cnsecuritycon-ctf channel.
Want to know more about the CTF? Setup, objectives, and assistance details can be found here.

Delve deeper into the dark and mysterious world of Cloud Native security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play three increasingly treacherous and demanding scenarios to bushwhack their way through the dense jungle of Cloud Native security. Everybody is welcome, from beginner to seasoned veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

Thursday February 2, 2023 10:30am - 4:30pm PST
Room 615/616
  Capture The Flag
  • Content Experience Level Any

11:00am PST

Journey to Cloud-Native, K8s and Trying to Secure It. - Graham E. Chukwumaobi, Independent
There are so many resources online about containers, Kubernetes, and Cloud security available to anyone who wants to know/learn about these technologies; this can be a good thing but can also be very confusing and chaotic, especially for people who are new to Cloud-Native and Open-source technologies/software. The first results returned by Google aren't usually the best for someone starting down their path in Cloud-Native Technology. It is even more challenging if you come from a very under-represented background in technology, where it is difficult to ask random people questions without feeling like a burden. This talk aims to guide newbies in their journey into Cloud-Native technologies such as Linux, containers, K8s, Iac, and securing clusters.

Speakers
avatar for Graham E. Chukwumaobi

Graham E. Chukwumaobi

Software Engineer, Smartsheet
Graham is a Cloud-Native and Cloud computing enthusiast focusing on learning more about the cloud and how best to secure the Cloud. After crossing paths with Cloud-Native technologies like K8s during his internship at ControlPlane in 2021, Graham went on to expand his knowledge of... Read More →


Thursday February 2, 2023 11:00am - 11:35am PST
Room 608
  101 Track
  • Content Experience Level Any

11:00am PST

Zero Trust in the Cloud with WebAssembly and WasmCloud - Kevin Hoffman, Cosmonic
Securing code running in the cloud has been a difficult problem to solve since before we called it "the cloud". With the advent of WebAssembly, we can leverage the intrinsic security and sandbox isolation offered by WebAssembly modules. Then we can layer on top cryptographic signatures and the verifiable capability model from wasmCloud to deploy secure, untrusted code and have total confidence in the security of applications built this way. In this session, we'll take a look at how WebAssembly itself adds multiple levels of security to traditional cloud computing with containers and microservices. Then we'll cover demonstrations of multiple levels of security enabled by wasmCloud.

Speakers
avatar for Kevin Hoffman

Kevin Hoffman

Chief Technology Officer, Cosmonic
Kevin has been building distributed applications throughout most of his career. He started with Cloud Foundry, worked his way through Kubernetes, and is now on the forefront of the WebAssembly revolution. He created the CNCF open source project wasmCloud, and is the co-founder and... Read More →



Thursday February 2, 2023 11:00am - 11:35am PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation
  • Content Experience Level Any
  • Presentation Slides Attached Yes

11:00am PST

Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections - David Wolf & Joshua Smith, Devo
We analyzed more than 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. Our analysis set out to answer the question, where are enterprises investing in cloud controls, and where are the control weak points? Next, we applied the MITRE ATT&CK Cloud framework as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. By applying a novel approach to the verb and noun relationships of cloud infrastructure and workspaces, we were able to map attacker motives to actionable control stories in an approach that can be applied with any SIEM or big data solution powering the modern security operations center (SOC). Join us for a practical journey in learning how to strengthen the multi-cloud SOC, with lessons learned and actionable insights from a cloud detections engineering team.

Speakers
DW

David Wolf

Security Researcher, Devo
David Wolf is a security architect and innovation researcher at Devo. In his latest research, David uses machine learning and artificial intelligence to highlight the detection and response differences across enterprise cloud infrastructure and workspaces. Previously, David was a... Read More →
avatar for Joshua Smith

Joshua Smith

Security Content Engineer, Devo
Joshua is a passionate information security engineer and researcher that figures out how to get a system to behave in a way it was not supposed to do so as to help secure it from future threats. He has spent a vast amount of his career finding new ways to secure systems in order to... Read More →



Thursday February 2, 2023 11:00am - 11:35am PST
Room 612
  Detections + Incidents + Response
  • Content Experience Level Beginner
  • Presentation Slides Attached Yes

11:00am PST

Learning from Supply Chain Failures and Best Practices in Other Industries - Demian Ginther, Superorbital, LLC
Supply chains are critical in many industries, but are only gaining attention as vitally important in the software industry in the past couple years. What can we learn from established supply chain best practices, and from the biggest failures in various industry supply chains? How can we apply that to our own work in securing our own critical infrastructure? In this talk we will discuss the evolution of supply chain processes in the physical world. We’ll explore what parts of physical supply chains apply to our work, how they have been implemented in those paradigms, what sorts of failures can and have occurred, and how we can utilize the lessons learned in our own software supply chain pipelines.

Speakers
avatar for Demian Ginther

Demian Ginther

Distributed Systems Engineer, Superorbital, LLC
Demian Ginther is a long time sysadmin and operations engineer. He is passionate about security, devops, and automation.



Thursday February 2, 2023 11:00am - 11:35am PST
Room 613/614
  Supply Chains
  • Content Experience Level Any

11:00am PST

SBOMs, VEX, and Kubernetes - Kiran Kamity, Deepfactor; Jonathan Meadows , Citi; Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency; Andrew Martin, Control Plane; Rose Judge, VMware
Software supply chain security is rapidly becoming critical to overall security. Softwarew Bill of Materials (SBOMs) formats are standardizing around CycloneDX, SPDX, etc. VEX (vulnerability exploitability exchange) is emerging as a standardized companion to SBOMs to help determine whether a vulnerability is exploitable. For Kubernetes app developers, how do we address the supply chain problem? This panel discusses the practical and operational aspects of gathering, using, and handling SBOMs for containers: both running on Kubernetes and the underlying images that comprise Kubernetes itself. We will cover use cases from open source projects, through vendors and cloud providers, to the use of SBOMs in highly regulated environments including financial services and critical national infrastructure. Panelists include experts and practitioners with deep expertise in SBOMs, VEX, supply chain security, and cloud native application security.

Speakers
avatar for Allan Friedman, PhD

Allan Friedman, PhD

Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency
Dr. Allan Friedman is Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency. He coordinates the global cross-sector community efforts around software bill of materials (SBOM) and related vulnerability initiatives and works to advance their adoption... Read More →
avatar for Kiran Kamity

Kiran Kamity

Founder & CEO, Deepfactor
Kiran Kamity is the Founder & CEO of Deepfactor. He is a passionate serial Silicon Valley entrepreneur. Prior to Deepfactor, Kiran was the Head of product at Cisco Cloud BU, Founder/CEO at ContainerX (acquired by Cisco), and the Founder/VP at RingCube (acquired by Citrix). Kiran is... Read More →
avatar for Jonathan Meadows

Jonathan Meadows

Managing Director, Cyber Security, Citi
Jonathan Meadows is Managing Director, Cyber Security at Citigroup. Jonathan has extensive software engineering experience in the financial services industry and an in-depth knowledge of cyber security. Jonathan is focused on software supply chain security and has contributed to industry... Read More →
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
avatar for Rose Judge

Rose Judge

Senior Open Source Engineer, VMware
Rose Judge is a Senior Open Source Engineer at VMware where she co-maintains Tern, an open source container inspection tool that generates container SBOMs. Additionally, she is the chair of the Linux Foundation’s Automating Compliance Tooling Technical Advisory Council and regularly... Read More →



Thursday February 2, 2023 11:00am - 11:35am PST
Room 606/607
  Supply Chains
  • Content Experience Level Any

11:00am PST

Tutorial: How to Build a K8s Admission Controller from Scratch! - Stephen Giguere, Bridgecrew; Angela Gizzi, LaunchDarkly; Matt Johnson, Prisma Cloud by PANW
As policy as code becomes a ubiquitous part of our supply chain security strategy, admission controllers are a familiar element, designed to prevent unwanted, unsafe or insecure workloads from becoming persistent in our runtime Kubernetes environment. Many out of the box admission controllers are available with Kubernetes and additionally, other 3rd party examples are available and associated with a variety of policy as code flavours. But what is really happening under the covers? How difficult is it to create our very own admission controller? In this workshop you'll learn: The fundamentals of admission control. How to install a simple local Kubernetes cluster How to build your own admission controller in Python

Pre-requisites: Basic knowledge of Kubernetes and Kubectl, Fundamental knowledge of the Python programming language, Docker build capability. Bring along your own laptop to follow the workshop live. The teacher will be using a laptop with MacOS. A Linux environment also works. Windows is discouraged but possible. This should be a fun and interactive workshop where by the end you'll have new knowledge of how admission control works and be on your way to understanding how other admission controllers work such that you can become a valued contributor, or continue to expand on the workshop to enhance your very own.

Speakers
avatar for Angela Gizzi

Angela Gizzi

Technical Marketing, Prisma Cloud by PANW
Angela is passionate about developer-first solutions and automation. She builds content and communities to bring technical practitioners the knowledge, open source tools, and products that best serve them.Outside of work, Angela spends her days rescuing and caring for animals. She... Read More →
avatar for Stephen Giguere

Stephen Giguere

Developer Advocate, Bridgecrew
Steve started his cybersecurity life by being kicked out of his high school computing class for privilege escalation on the school linux system and changing all passwords to "peaches" (his dog's name). But that was a long time ago. Since then he has experienced a wide breadth of technologies... Read More →
MJ

Matt Johnson

Lead Developer Relations, Prisma Cloud by PANW
Matt Johnson (@metahertz) is a Cloud Security Advocate for Prisma Cloud (Formerly Bridgecrew.io). Based in not-so-sunny Manchester, UK, he helps DevOps teams simplify, automate and improve their infrastructure security. Coming from a security and platform automation background, he’s primarily focused on next-generation infrastructure, including serverless, edge compute, and Kuberne... Read More →



Thursday February 2, 2023 11:00am - 12:25pm PST
Room 602/603

11:50am PST

Handling JWTs: Understanding Common Pitfalls - Bruce MacDonald, InfraHQ
If you use JSON web tokens (JWTs) for authentication, handling them securely is your first and last line of defense. However properly using JWTs can be confusing. Even if you follow the specification you may still be vulnerable to some attacks. In this talk Bruce will give a friendly introduction to JWTs and how to work with them in your application. We will cover what is in a JWT, and how to make sure you can trust it. Once we understand the basics Bruce will demonstrate some common pitfalls in signature algorithm confusion and secret brute forcing. Finally, Bruce will cover JWT verification and security that will ensure you can trust your JWTs.

Speakers
avatar for Bruce MacDonald

Bruce MacDonald

Software Engineer, InfraHQ
Bruce is a software engineer currently working on infrastructure security and access management. He has experience in a wide range of fields from enterprise software to augmented reality hardware.



Thursday February 2, 2023 11:50am - 12:25pm PST
Room 608
  101 Track
  • Content Experience Level Any
  • Presentation Slides Attached Yes

11:50am PST

Good Fences Make Good Neighbors: Making Cross-Namespace References More Secure with ReferenceGrant - Nick Young, Isovalent
The Kubernetes security model is very reliant on namespacing for enclosing trust boundaries. But what happens when an resource or set of resources need to cross those trust boundaries? How can we be confident that both parties in cross-namespace communications agree to the relationship between objects? In the SIG-Network Gateway API subproject, we've found that this is a little tricky. The answer is that both parties have to agree. The owner of the resources in the target namespace has to agree to someone outside their control accessing their stuff, and the resource that wants to refer to that stuff has to explicitly ask. Come and learn about the solution the Gateway API subproject of SIG-Network has put in place, the ReferenceGrant resource, how it works, and how it can be used to ensure that a cross-namespace reference is agreed to by both parties. We've also used variants of the same approach in other parts of the Gateway API, and this talk will explain those as well. You will come away with some knowledge both of the ReferenceGrant resource, the history behind it, and how it fits into the Gateway API.

Speakers
avatar for Nick Young

Nick Young

Senior Systems Engineer, Isovalent
Nick has been working to prevent the entropic downfall of systems for 20 years, across Windows and Linux, datacenters and clouds, networking, storage and compute. Currently he's a Senior Software Engineer at Isovalent, and a maintainer on the Kubernetes Gateway API project, where... Read More →



Thursday February 2, 2023 11:50am - 12:25pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation
  • Content Experience Level Beginner
  • Presentation Slides Attached Yes

11:50am PST

CSI Container: Can You DFIR It? - Alberto Pellitteri & Stefano Chierici, Sysdig
Digital Forensics and Incident Response (DFIR) capabilities are crucial to quickly containing the impact of an incident and preventing the cyberattack from becoming a cyber crisis. Indeed, when criminals get into your environment, it is crucial to adopt well defined DFIR techniques in order to minimize the incident impact. However, identifying and containing an incident was challenging enough in virtual machines, now with containerized applications becoming mainstream it is even more difficult. Following a brief introduction to DFIR, outlining its importance, a comparison between the traditional DFIR approach in on-premises infrastructures and the new way to be taken with containers will be presented. This will provide a better understanding of how needs and challenges have changed, particularly from the Kubernetes perspective. In addition, after a practical demonstration, the audience will get a clear picture of the best practices to adopt during the response phase - such as storing the evidence of a compromised pod remotely, highlighting and extracting the filesystem changes, and much more. To close out, it will be discussed how DFIR is evolving in Kubernetes, talking about the latest Kubernetes features and what capabilities they bring to forensics and incident response.

Speakers
avatar for Alberto Pellitteri

Alberto Pellitteri

Security Engineer, Sysdig
Alberto Pellitteri is a security engineer with a speciality in Kubernetes and Docker technologies. Currently a security engineer at Sysdig, Alberto researches malware and attacks that target cloud infrastructure and vulnerable environments. As a contributor to open source projects... Read More →
avatar for Stefano Chierici

Stefano Chierici

Threat Research Lead Manager, Sysdig
Stefano Chierici is a security researcher at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors, an incubation level CNCF project. He studied cyber security in Italy... Read More →



Thursday February 2, 2023 11:50am - 12:25pm PST
Room 612

11:50am PST

Delivering Secure Healthcare Applications with OSS - Robert Wood, Centers for Medicare and Medicaid Services (CMS) & Gedd Johnson, Defense Unicorns
Every year the Centers for Medicare and Medicaid Services (CMS) spends thousands of engineering hours to ensure its hundreds of applications are compliant with healthcare-specific security controls. The vast majority of this work is redundant across app teams and the complexity is magnified due to a lack of standardization amongst deployment strategies and technology decisions. This talk will highlight the effectiveness of using exclusively OSS to build, deploy and accredit a secure, standardized K8s-based platform in regulated cloud environments at CMS. The presentation will cover OSS technical implementation, how it achieves security requirements and the culture change that is necessary to utilize open source effectively. The goal of this talk is to share, collaborate, and learn how open source software enables teams to deliver secure, OSS platforms in regulated environments.

Speakers
avatar for Robert Wood

Robert Wood

Chief Information Security Officer, Centers for Medicare and Medicaid Services (CMS)
Robert Wood is the Chief Information Security Officer for the Centers for Medicare and Medicaid Services (CMS). He leads enterprise cyber security, compliance, privacy, and counter intelligence functions at CMS. Mr. Wood has over 10 years of experience in IT, cybersecurity and management... Read More →
avatar for Gedd Johnson

Gedd Johnson

Software Engineer, Defense Unicorns
Gedd Johnson is a software engineer and tech lead at Defense Unicorns. He is building and architecting an open source, K8s-based platform for the Centers for Medicare and Medicaid Services. Prior to Defense Unicorns, Gedd worked as a software engineer at Creditshelf where he migrated... Read More →



Thursday February 2, 2023 11:50am - 12:25pm PST
Room 613/614
  GRC
  • Content Experience Level Any

11:50am PST

Self Healing GitOps: Continuous, Secure GitOps Using Argo CD, Helm and OPA - Upkar Lidder , Tenable
Argo CD empowers the community to adopt GitOps for K8s. Argo CD triggers automated operations for cluster reconciliation by monitoring changes in git for images and artifacts such as Helm Charts. While Argo CD enables hyper-automation for cluster deployment, how can teams ensure they aren't slowed down by requirements such as security, privacy, and compliance? In this talk, Upkar Lidder will discuss how to leverage the power of the Open Policy Agent to automate the delivery of secure, compliant deployments. Argo CD with OPA can ensure that any Helm charts and container images to be deployed are compliant with the established policies. Upkar will also demonstrate a new approach of self-healing GitOps to the community which leverages OPA's Rego language to remediate risks and violations on the fly.

Speakers
avatar for Upkar Lidder

Upkar Lidder

Senior Product Manager, Tenable
Upkar Lidder is senior product manager with 10+ years in IT development including team management, functional and technical leadership roles with a deep experience in full stack technology. Upkar is currently focused on Security and DevSecOps in ShiftLeft, Containers and Cloud Native... Read More →



Thursday February 2, 2023 11:50am - 12:25pm PST
Room 606/607
  Supply Chains
  • Content Experience Level Any

12:25pm PST

Lunch 🍲
Thursday February 2, 2023 12:25pm - 1:55pm PST
Halls 6CE

12:25pm PST

🦝 TAG Security Lunch
Meet up and get to know the Security TAG for a casual networking lunch. Grab your lunch from the Solutions Showcase and join us at the reserved tables.

Thursday February 2, 2023 12:25pm - 1:55pm PST
Halls 6CE

1:55pm PST

🦝 Security Threat Modeling Live from Scratch Session - Andrew Martin, Control Plane
What does a threat model look like? How do you go about doing one? At TAG Security, we’ve developed a lightweight threat model to let projects easily go through the exercise of modeling their project. In this session, we will have a hands-on exercise and create a threat model for the CNCF project using the lightweight model we’ve developed!

Speakers
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 608
  101 Track

1:55pm PST

Solving Multi-Service Without a Service Mesh - Evan Anderson, VMware
Kubernetes is famously a “platform for building platforms”. In this talk, we will un-pack the primitives Kubernetes provides for enabling microservices to securely communicate with each other without relying on a service mesh. Together, we’ll explore how technologies like NetworkPolicy, token projection, API gateways, cert-manager, and language runtimes play poorly or nicely together. We’ll cover authentication options, encryption, rate limiting, multi-tenant infrastructur eservices, and the interplay between L4 and L7 features with an eye on compliance as well developer ease of use. Drawing on his experience as Knative Security Working Group lead and background solving application runtime challenges on Kubernetes, Evan will teach participants about how to build without a service mesh, as well as a deeper understanding of the value that service meshes provide.

Speakers
avatar for Evan Anderson

Evan Anderson

Software Engineer, VMware, Inc
Evan Anderson is a software engineer focused on serverless and cloud-native software systems at VMware. He is one of the founders of the Knative project, and a member of the Knative Technical Oversight Committee. Prior to Knative, he worked on cloud at Google for 10 years. Outside... Read More →



Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 609

1:55pm PST

The Four Golden Signals of Security Observability - Duffie Cooley, Isovalent
Migrating to Kubernetes has exposed significant gaps in the security observability of running workloads. This gap in visibility not only provides a major advantage to sophisticated threat actors; it provides a serious disadvantage to cluster operators as well. Without security observability, an attacker can achieve and maintain a persistent foothold in your cluster - indefinitely and invisibly. Observability tools today collect metrics and event data, but how do we provide insights into threat detection, or to help create a least-privilege security policy for your workloads? We’ll answer these questions by introducing the "Four Golden Signals of Security Observability." These signals are essential to understanding your cloud-native environment's behavior and include: 1. Process Execution 2. Network Sockets 3. File Access, and 4. Layer 7 Network Identity Using eBPF, we can provide native visibility in the kernel for your workloads and remove the visibility gap that cluster operators are challenged with by collecting security observability data. This talk will also provide a walkthrough of each of the "Four Golden Signals" to detect a real-world attack in real-time using eBPF-based open source tools, such as Cilium's Hubble and Tetragon.

Speakers
avatar for Duffie Cooley

Duffie Cooley

Field CTO, Isovalent
Duffie is Field CTO at Isovalent focused on helping enterprises find success with Cilium and modern security tooling. Duffie has been working with all things systems and networking for 20 years and remembers most of it. A student of perspective, Duffie is always interested in working... Read More →


Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 612

1:55pm PST

Container Factory for Aerospace & Defense Enterprises - Sarah Miller & Melissa Robertson, Collins Aerospace
Learn how Melissa and Sarah are developing a container factory that helps Collins Aerospace software teams meet the governance and compliance rules and regulations for building safety and security critical software. Melissa and Sarah will go over the challenges they are facing and how they are overcoming some when working with compliance auditors. Sarah will share how Collins is looking to move cybersecurity authorizations from a risk management focus to an active cyber defense focus. Melissa will share how she has integrated auto-document generation for compliance reviews and a vision to transition to virtual dashboards. Their goal is to remove hardships from Collins Aerospace developers created by institutional practices by rethinking how compliance is achieved in cloud native environments.

Speakers
avatar for Sarah Miller

Sarah Miller

Technical Fellow, Collins Aerospace
Sarah Miller, PE, is a Technical Fellow in software engineering at Collins Aerospace currently leading the Digital Engineering transformation for Mission Systems. With over 25 years' experience, Sarah developed communications products specializing in cryptographic device embedment... Read More →
avatar for Melissa Robertson

Melissa Robertson

Sr. Software Engineer, Collins Aerospace
Melissa Robertson is a Senior Software Engineer developing container pipelines supporting DevSecOps in Mission Systems for Collins Aerospace. She has a BS in Computer Science from the University of South Alabama and has been working in the software domain for the past 13 years. She... Read More →



Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 613/614
  GRC

1:55pm PST

Spicing up Container Image Security with SLSA & GUAC - Ian Lewis, Google
Understanding and verifying the content of images that you deploy in production environments is difficult and error prone. Images could be built in an insecure environment, by a malicious actor, or include dependencies that are insecure. Users often don't have enough information to determine if images are trustworthy. Two new tools can help; Supply chain Levels for Software Artifacts (SLSA), and Graph for Understanding Artifact Composition (GUAC). In this talk attendees will learn how to add SLSA provenance metadata to their container images and strongly link images back to their source code on multiple build systems including GitHub Actions and Google Cloud Build. We will also cover how to verify images and their metadata before use; both when running locally and when running images in Kubernetes. Using policy engines like Kyverno and Sigstore policy-controller we can verify an image's source code repository, builder identity, build entry points, and more to protect production environments from malicious images. Finally we'll discuss how to understand your image's supply chain using GUAC. We'll discuss how we can combine SLSA with GUAC to better understand the contents and build provenance of your images from the base layers on down.

Speakers
avatar for Ian Lewis

Ian Lewis

Developer Relations Engineer, Google
Ian is an engineer at Google working on Supply Chain Security. Ian has been living in Tokyo since 2006 and has had various developer and operations roles throughout his career while staying active in the open-source developer community. Ian is a contributor to the SLSA framework and... Read More →


Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 606/607
  Supply Chains

1:55pm PST

Tutorial: Hands-on Hacking Kubernetes and Ways to Prevent It - Eric Smalling, Snyk
Vulnerability exploits too often seem like empty threats that our security teams warn us about but not something that would ever happen to my code! Join me in this hands-on workshop where we will walk through a remote code execution exploit and then talk about the steps you can employ that would mitigate the attack. If you want to participate in the hands-on hacking, a container runtime environment pre-installed on your laptop is encouraged. (i.e. Docker Desktop)

Speakers
avatar for Eric Smalling

Eric Smalling

Senior Developer Advocate, Snyk
Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer... Read More →


Thursday February 2, 2023 1:55pm - 3:20pm PST
Room 602/603

2:45pm PST

🦝 A Sneak Peak Into Security Reviews with the Community - Ragashree MC, Carnegie Mellon University
In this talk, we explore the need for open source security reviews, how they are different from audits, and how they are used. We will share the TAG contributions with respect to the upcoming Security guide and provide a sneak peek into its contents. Finally, we also start the dialog on to get onboard and involve in the development of this guide

Speakers
avatar for Ragashree MC

Ragashree MC

Student, Carnegie Mellon University
Ragashree M C is a Security professional with 4+ years of industry experience. She is an active member of open-source security forums such as CNCF, and OWASP and is currently serving the Cloud Native Computing Foundation Security Technical Advisory Group (TAG) as a technical lead... Read More →


Thursday February 2, 2023 2:45pm - 3:20pm PST
Room 608
  101 Track

2:45pm PST

Taming Attestation for the Cloud Native World with Parsec - Paul Howard, Arm
As compute continues to move to the edge, there is an increasing need for compute nodes that are outside of the managed cloud to authenticate and communicate securely with cloud services. The need to achieve this across a diverse ecosystem of devices creates a bewildering problem for the industry. Hardware-backed security is a must when devices are in tamper-prone environments. Parsec, in the CNCF sandbox, has tamed the problem of managing keys and secrets in these various devices, creating the convenient and portable interface to a strong, hardware-backed device identity. But a key isn't always enough. Sometimes there is a need also to prove that the key was created within the device, and that the device itself is composed of an approved combination of hardware, firmware and software, booted to a known-good configuration. This is commonly known as attestation. But attestation brings its own set of portability challenges, with platform-specific APIs, flows and data formats. The advent of confidential computing adds an extra dimension of complexity as well. In this talk, you will learn how Parsec is now primed to create the portable, cloud-native approach to attestation on any platform for a variety of use cases, including secure channel bootstrap with enhanced TLS handshakes.

Speakers
avatar for Paul Howard

Paul Howard

Principal System Solutions Architect, Arm
Paul Howard is a Principal System Solutions Architect in the Architecture and Technology group at Arm, based in Cambridge, UK. Paul joined Arm in 2018 from a software engineering background. His focus at Arm is on better-together stories for hardware and software across cloud, edge... Read More →



Thursday February 2, 2023 2:45pm - 3:20pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

2:45pm PST

Do This, Not That – Lessons from 7 Headline Grabbing Security Breaches - Maya Levine, Sysdig
What leads to a cloud security breach? Misconfigurations, exposed APIs, cryptojacking, and more. Attacker motivations haven’t changed much, but their methods have adapted to new technologies. As a defender, you must adapt too. In this talk, we walk through 7 examples of real cloud breaches, discuss what went wrong, why it was interesting, and what you can do to avoid ending up on such a list. Learn about the differences between cloud vs on-premise threats and breaches. What has changed? Are certain attack methods more prevalent, attractive, or easy to execute in the cloud? Why? What are the high-level cloud attack trends (and defenses) and how to cope? Each of the 7 breaches we discuss involve cloud infrastructure. We will highlight a particular attack pattern, response pattern, or other interesting element that can give insight into how to better protect ourselves in cloud environments. You won’t hear general, “lock your stuff down” guidance; each scenario will have a specific takeaway so you avoid a similar pitfall.

Speakers
avatar for Maya Levine

Maya Levine

Product Manager, Sysdig
Maya Levine is is a Product Manager for Sysdig. She is passionate about effective cloud native security. Previously she worked at Check Point Software Technologies as a Security Engineer and later a Technical Marketing Engineer, focusing on cloud security. Her earnest and concise... Read More →



Thursday February 2, 2023 2:45pm - 3:20pm PST
Room 612
  Detections + Incidents + Response
  • Content Experience Level Any

2:45pm PST

12 Essential Requirements for Policy Enforcement and Governance with OSCAL - Robert Ficcaglia, SunStone Secure, LLC
An effective policy framework provides governance capabilities to Kubernetes and cloud native applications. Policy-as-code artifacts provide visibility and drive remediation for various security and configuration aspects to help Developers and Operators meet their security and compliance requirements. Working with the Kubernetes Policy Workgroup, cloud providers and tool maintainers have signaled support for OSCAL. OSCAL is a NIST control assessment syntax and model framework providing a standard set of schema for control catalogs, customization and parameterization, assessment and reporting. Using OSCAL as a model schema for control definition, we discuss the specifics of policy enforcement and management in a multi-cluster, multi-cloud environment for seamless traceability across technical configuration, organization security standards and external regulatory compliance requirements. We break down 12 specific requirements and policy-as-code practices in a highly fluid multi-cluster operating environment. Join this hands-on, live demo session to understand the battle-tested use cases, architecture, and practical implementation details, and the deployment and operational levers for managing control implementation, policy generation and assessment, and compliance reporting.

Speakers
RF

Robert Ficcaglia

CTO, SunStone Secure, LLC
Robert Ficcaglia is CTO of SunStone Secure, a virtual CISO and Compliance Advisory firm, and also serves as the Kubernetes Policy Workgroup Co-Chair, CNCF Security Technical Advisory Group (TAG) Lead Assessor, and member of the Kubernetes Security Special Interest Group (SIG-security... Read More →



Thursday February 2, 2023 2:45pm - 3:20pm PST
Room 613/614
  GRC

2:45pm PST

Modifying the Immutable: Attaching Artifacts to OCI Images - Brandon Mitchell, BoxBoat, an IBM Company
Images are now being pushed to OCI registries with more and more metadata, including attestations, signatures, and SBOMs. What is involved with adding your own artifacts? This talk walks through how OCI recently standardized the process, and describes how additional data can be added to an image without modifying its immutable digest. You'll learn how tooling can ship SBOMs along side images, both for the vendor generating the SBOM and the user searching for it. And this talk will cover many of the gotchas you may encounter when implementing this yourself.

Speakers
avatar for Brandon Mitchell

Brandon Mitchell

Senior Solutions Architect, BoxBoat, an IBM Company
Brandon Mitchell is a Senior Solutions Architect for BoxBoat an IBM company, Docker Captain, OCI Maintainer, and maintainer of various OSS projects. He focuses on defining specs in OCI, improving software supply chain security, and implementing reproducible builds for container images... Read More →



Thursday February 2, 2023 2:45pm - 3:20pm PST
Room 606/607
  Supply Chains

3:20pm PST

Coffee Break ☕
Thursday February 2, 2023 3:20pm - 3:50pm PST
Halls 6CE

3:50pm PST

Securing the Superpowers: Who Loaded That EBPF Program? - John Fastabend & Natalia Reka Ivanko, Isovalent
eBPF has become an increasingly popular technology to build all sort of tools from networking CNIs to security tools. eBPF has the ability to inspect nearly any kernel data structure and modify networking packets and even user space data in some configurations. It has recently become cross platform with a Windows run-time and is now widely available on most Linux distributions and cloud platforms. It even has users at Blackhat (BlackHat USA 2021: With Friends Like eBPF, Who Needs Enemies?) and Defcon creating potential malicious uses for eBPF. Precisely because it is so powerful it is incredibly useful, but it raises the question who is watching eBPF. The Linux kernel community has been building a solution to securely monitor and enforce who can load eBPF programs and what kind of programs are allowed to be loaded on any given system. In this talk we discuss a design for eBPF auditing and security and use Tetragon's (an open source eBPF based security tool) to show an implementation. This will show security teams how to restrict what gets loaded on a Linux system and who is allowed to use it. As well as how to create an audit log and time series database so we can go back in time to discover the who did what, when type of questions that can not be answered today.

Speakers
JF

John Fastabend

Software Engineer, Isovalent
John Fastabend is the creator of Tetragon and current project lead as well as a Cilium maintainer. He is a long time kernel contributor and maintainer working on BPF from the early days of its creation and is the listed maintainer for various networking subsystems and drivers. He... Read More →
avatar for Natalia Reka Ivanko

Natalia Reka Ivanko

Security Product Lead, Isovalent
Natalia Reka Ivanko is a Security Product Lead at Isovalent with a strong background in container and cloud native security. She is passionate about building things that matter and working with kernel and software engineers to develop and apply security best practices. She is inclined... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 608

3:50pm PST

When SysAdmins Quit: Protecting Kubernetes Clusters When the Owner of Multiple Admin KUBECONFIGs Quits - Arun Krishnakumar, VMware
Suppose there is a sysadmin who owns a few dozen Kubernetes Clusters. They have access to the VMs of the cluster. They also naturally have access to the admin KUBECONFIG files to each of the clusters. Suppose they quit and make a copy of these KUBECONFIG files. If the api-server of any of the clusters is accessible, there is a serious problem. Suppose there is a non-admin KUBECONFIG user and suppose they quit or change teams. We have a similar requirement of removing access to the cluster for that user as well. These are real world problems that are faced by customers who want us to provide guidance and best practices in this matter. Ideally we would like to revoke access to these users with minimal interruption to the cluster. In this talk we will discuss the problem of revoking access to clusters in general at both the admin level, and at the user level. This will include removal of access to resources of interest and the parts of the certificate chain-of-trust that need to be changed. We will discuss how our customers can make use of these schemes and cleanly remove users from the cluster. We will also discuss pre-requisites for setting up a cluster that is amenable to the solution, general gaps in our current implementation and in the general Kubernetes ecosystem as well.

Speakers
avatar for Arun M. Krishnakumar

Arun M. Krishnakumar

Cloud Architect, VMware Inc
Arun has been working with Kubernetes since 2016 initially building Data Science and ML platforms at a time when Docker would not always play well with Kubernetes and GPU support was new. Recently Arun has been at VMware working on a KaaS engine for their Multi-Tenant provider named... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 609

3:50pm PST

Container Patching: Making It Less Gross Than the Seattle Gum Wall - Greg Castle & Weston Panther, Google
A goal like “Production containers are patched within FedRAMP timelines” is a seemingly impossible task for many organizations. What containers do we have? Who owns them, and how can we get them patched that fast? We’ll talk about our patching strategy of “Prevent, Detect, Fix, Monitor”, discuss the opensource tools available to help in each of those steps, and share lessons learned from our customers and our own patching program. Prevention narrows the funnel: standardized images, slimming images, separating build deps, allowlisting registries, and container promotion policies all help. On detection we’ll cover discovery, recent vuln detection advances, and opportunities to reduce noise. Fixing is about automating ownership discovery, fix sequencing, and release process. Monitoring glues it all together: prioritize fixes and investigate gaps to meet your SLO.

Speakers
avatar for Greg Castle

Greg Castle

GKE Security Tech Lead, Google
Greg is the tech lead for the Google Kubernetes Engine (GKE) security team and has been contributing to K8s security since 2017. He founded the K8s Container Identity Working Group and led GKE team members who built K8s OIDC support, Secrets Encryption, RuntimeClass, and more. Greg... Read More →
WP

Weston Panther

Staff Software Engineer, Google
Weston is the tech lead for the GKE Vulnerability Management team, where he is responsible for implementing patching processes to ensure GKE's infrastructure is free of vulnerabilities. Prior to Google, Weston worked on EC2's infrastructure automation at AWS. He holds a Master's in... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 613/614

3:50pm PST

🦝 TAG Security Cloud Native Security Whitepapers Overview - Shlomo Zalman Heigh, CyberArk
There are many aspects of Cloud Native Security, and it can be daunting to approach. To help security practitioners understand cloud native security, TAG security has published multiple whitepapers and reference architectures to help provide context on securing cloud native infrastructure. In this talk, we will go through what’s out there and coming up, including the Cloud Native Security Whitepaper, Supply Chain Security best practices and reference architecture, Zero Knowledge whitepaper as well as the Cloud Native Security Controls mapping. We hope that this session will lighten the pathways into cloud native security for all

Speakers
avatar for Shlomo Zalman Heigh

Shlomo Zalman Heigh

Senior Software Engineer, CyberArk
Shlomo is a senior software engineer at CyberArk. He's a core maintainer of the Conjur open source project, a DevSecOps secrets manager that aims to solve the problem of secret leakage in production applications and workloads running on-prem or in the cloud.He's also a member of the... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 602/603
  Security Education + Teaming

3:50pm PST

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore - Zachary Newman, Chainguard, Inc. & Marina Moore, New York University
It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from evil@hacker.com the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.

Speakers
avatar for Zachary Newman

Zachary Newman

Software Engineer, Chainguard, Inc.
Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a software engineer... Read More →
MM

Marina Moore

PhD Candidate, New York University
Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab focusing on secure software updates and software supply chain security. She is a maintainer of TUF, a CNCF graduated project, as well as Uptane, the automotive variant of TUF. She contributed to the updated TAG Security... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 612
  Supply Chains

3:50pm PST

Security That Enables: Breaking Down Security Silos in the DevOps Ecosystem - Saurabh Wadhwa, Uptycs
This talk addresses two core themes: First, the rise in attackers targeting developers and container image repositories to access pre-production resources. Second, good security should enable DevOps teams to better perform their role, secure builds, and remove the stigma that security = roadblocks. First, we break down how traditional CI/CD workflows are siloed from a security tooling perspective. Siloed security tools create gaps when developer ecosystems are targeted, as it’s difficult to trace attackers across environments. Monitoring a developer’s laptop may be completely isolated from the security data from registry scanning, which in turn may be completely isolated from monitoring runtime services. Second, a walkthrough breaking down the step-by-step flow of the recent Dropbox breach where attackers targeted developers and ultimately stole 130 GitHub repositories. This will be a deep dive into how the attackers targeted developers by impersonating CircleCI, with the ultimate goal of stealing GitHub repos and accessing backend infrastructure. And third, we end with a more positive look at how the right security controls (zero-trust access and registry scanning) in the CI/CD process enable developer teams to better perform their roles and more confidently deploy builds.

Speakers
avatar for Saurabh Wadhwa

Saurabh Wadhwa

Senior Solutions Engineer, Uptycs
Saurabh is a Senior Solutions Engineer at Uptycs focusing on securing cloud and container workloads. Saurabh has been passionate about working in the cybersecurity industry for the last 11+ years having worked in the UEBA, SIEM, Threat Intelligence, XDR, and CSPM spaces. He graduated... Read More →



Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 606/607
  Supply Chains
  • Content Experience Level Any

4:40pm PST

CNI or Service Mesh? Comparing Security Policies Across Providers - Rob Salmond, SuperOrbital & Christine Kim, Google
Up or down the network stack? Kernel space or userland? How about a side order of sidecars? Would you like eBPF with that? The Cilium project began life concerned about enforcing policies at the CNI level, while Linkerd2 and Istio provided policy enforcement by way of sidecar injection. Now Cilium and Linkerd2 have added support for Layer 7 policies, while Istio has introduced a sidecarless model that pushes some of their policy enforcement out of the pod and back onto the node. And everyone is adding a pinch of eBPF for good measure! This talk will briefly summarize these technologies, explore recent changes in popular cloud native networking solutions, compare their implementations, and highlight the trade offs.

Speakers
avatar for Rob Salmond

Rob Salmond

Trainer, SuperOrbital
Rob Salmond is an experienced SRE who currently leads training at SuperOrbital where he teaches people to use Kubernetes, Istio, and cloud native technologies. Blocked by Mark Hamill for refactoring his YAML with OCaml.
avatar for Christine Kim

Christine Kim

Developer Programs Engineer, Google
Christine Kim is a Developer Programs Engineer at Google, where she dabbles in the world of Kubernetes and Service Meshes. She absolutely did NOT take down production that one time. That is hearsay.



Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 608

4:40pm PST

Security++: Hide Your Secrets via a Distributed Hardware Security Module - Iris Ding & Malini Bhandaru, Intel
Cloud hardware security module (HSM) provides cloud-based services to host encryption keys and perform cryptographic operations inside HSM. It can improve the security level of your services. However, it also brings performance challenges for users since cryptographic operations are handled remotely in HSM. Distributed HSM is a solution that satisfies both security and performance requirements. It provides both remote and local HSMs for users and can be hosted on Cloud, on-premise and on edge. Cryptographic operations can even be performed in the same node with the service. In this talk we walk you through how distributed HSM works and showcase some typical user cases.

Speakers
avatar for Iris Ding

Iris Ding

Cloud software engineer, Intel
Iris Ding works in Intel's IAGS team now and has a rich background in Open source development, cloud computing, middle ware development and design. Her current focus is research in cloud native area such as kubernetes and service mesh. Iris Ding held a speaking engagement in KubeCon... Read More →
avatar for Malini Bhandaru

Malini Bhandaru

Senior Principal Engineer and Cloud Native Architect, Intel
Dr. Malini Bhandaru is an Intel Sr. Principal Engineer working as a Cloud Native Architect. She has been involved with Open Source for over a decade as a developer, lead, and user on projects such as Kubeflow, Kubernetes, EdgeX Foundry, OpenStack, and OpenDaylight. She has worked... Read More →



Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 609

4:40pm PST

Sharing Security Secrets: How to Encourage Security Advocates - Cailyn Edwards, Shopify
The cloud can be a big scary place, and with malicious actors around every corner it’s important that security teams have the power they need to keep data safe, and services available. Although it can feel like we are alone in our mission, and sometimes security practices are seen as burdensome - it doesn’t have to be that way! If we can take the time and make the effort to share our security secrets, introduce teams to Alice and Bob and encourage a healthy amount of suspicion; we can create a company-wide culture that cares about security. We can’t be everywhere at once - so having others looking out for security risks in their work is invaluable. In this talk Cailyn and Ann will talk about their successes in educating non-security teams, and enlisting security advocates across Shopify. They will dive into some of the methods that were well received and talk about efforts that were not as successful. Cailyn will also talk about the new security review strategy that her team launched this year. You will walk away from this session with information and ideas on how to start a security advocates program in your organization.

Speakers
avatar for Cailyn Edwards

Cailyn Edwards

Senior Infrastructure Security Engineer, Shopify
Cailyn Edwards (she/her) is a Senior infrastructure Security Engineer at Shopify, where she spends her time paving roads, putting up guard rails and generally helping to secure the cloud. She is also an active contributor to SIG-Security and 2022 Contributor Award recipient. Her current... Read More →



Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 613/614
  Security Education + Teaming
  • Content Experience Level Any

4:40pm PST

"Keyless" Code Signing Without Fulcio - Nathan Smith, Chainguard
Sigstore's certificate authority Fulcio has popularized the idea of "keyless" signing. The keyless method makes signing hassle free by removing the need to manage private keys. Do you need to run Fulcio yourself if you want the same convenient signing flow, but you want your own trust root? No! In this talk, we'll walk through the what keyless signing really means and how to configure existing PKI solutions like Vault and stepca to use it.

Speakers
avatar for Nathan Smith

Nathan Smith

Software Engineer, Chainguard
Nathan is an open source software enthusiast with an interest in supply chain security, reliable infrastructure and digital autonomy. Nathan is a contributor to the Sigstore project, which aims to make signing code easy and ubiquitous.


Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 606/607
  Supply Chains

4:40pm PST

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar-Hall & Jerod Heck, Lockheed Martin
Software Bill of Materials are being touted for tracking software build dependencies and security of a built application. Often delivered with built applications for transparency. In this talk we’ll explore a different use for Software Bill of Materials, where it is used as a packaging standard to validate and transfer assets across network boundaries. At Lockheed Martin, we’re using CycloneDX Specification to automate transfers into secure environments with strict controls to allow development teams to update build dependencies without network connectivity. We also use the CycloneDX Specification to create “seeding” deployments for Cloud Native infrastructure deployments. We’ll be demoing Hoppr, an open source tool with an extendable plugin architecture to do security validation and multi team transfers. It used CycloneDX SBOMs to collect items based on purls, run validation, and create transfers to be brought into these environments.

Speakers
JH

Jerod Heck

Software Factory Product Architect, Lockheed Martin
Jerod is a Product Architect at Lockheed Martin Software Factory focused on Automation and Software Supply Chain. His efforts revolve around encouraging adoption of new technologies and integrating them into the organization. He’s a part of the CycloneDX working group and has worked... Read More →
avatar for Ian Dunbar-Hall

Ian Dunbar-Hall

Software Factory Chief Engineer, Lockheed Martin
Ian is Chief Engineer for Lockheed Martin Software Factory and specializes in DevSecOps and Cloud Native Computing. He is responsible for technical direction for repeatable development processes and tooling that is leveraged by across the company to expedite software delivery. He... Read More →



Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 612
  Supply Chains
 
  • Timezone
  • Filter By Date CloudNativeSecurityCon North America 2023 Feb 1 - 2, 2023
  • Filter By Venue Seattle, WA, USA
  • Filter By Type
  • 101 Track
  • Architecture + Identity + Multi-tenancy + Isolation
  • Badge Pick-Up
  • Breaks
  • Capture The Flag
  • ⚡Lightning Talks
  • Detections + Incidents + Response
  • GRC
  • Keynote Sessions
  • Security Education + Teaming
  • Solutions Showcase
  • Supply Chains
  • Tutorials
  • Content Experience Level
  • 🦝 TAG Security Recommended
  • Presentation Slides Attached

Filter sessions
Apply filters to sessions.