Loading…
February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Simple
Expanded
Grid
By Venue
Beginner [clear filter]
Wednesday, February 1
 

11:00am PST

Identity Based Segmentation for a ZTA - Zack Butcher, Tetrate & Ramaswamy Chandramouli, National Institute of Standards and Technology
Zero Trust is all about replacing implicit trust based on the network -- traditional perimeter security and an "access is authorization" model -- with explicit trust based on identity and runtime authorization. This means applications must authenticate and authorize service communicate in addition to end users. This gives rise to patterns like identity aware proxies and the service mesh for enforcing access. We'll discuss a quick-and-easy definition for a what a "zero trust architecture" is and discuss how a common use case -- application communication from cloud to prem through a DMZ -- can be simplified with identity aware proxies (and policy!), leading to organizational agility.
Speakers
RC

Ramaswamy Chandramouli

Senior Computer Scientist, National Institute of Standards and Technology
Dr. Ramaswamy Chandramouli has over 36 years of professional experience in Information System design, development, and implementation with the last 24 years dedicated to computer security research. He is currently a Senior Computer Scientist at the Computer Security Division at National... Read More →
avatar for Zack Butcher

Zack Butcher

Founding Engineer, Tetrate, Tetrate
Zack helps large enterprises adopt Envoy and Istio. An early engineer building Istio at Google, he served on its Steering Committee and co-authored “Istio: Up and Running” (O'Reilly). He works with NIST and co-authored a series of Special Publications defining microservice security... Read More →

Wednesday February 1, 2023 11:00am - 11:35am PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

11:00am PST

Network Security at Scale: L3 Through L7 at Splunk - Mitch Connors, Aviatrix & Bernard Van De Walle, Splunk
What does it take to securely connect dozens of clusters across multiple cloud providers at Splunk scale, while not disrupting the agility that is required to compete in the modern marketplace? How do you balance security at L3 and L4 with the flexibility and identity needs of L7? Join us to explore Splunk’s networking stack, starting at multi-cloud VPCs for L3, and Istio for L4 and L7. We’ll also discuss how some of the pain points in this architecture are driving the new Istio Ambient design.
Speakers
avatar for Mitch Connors

Mitch Connors

Sr Principal Software Engineer, Aviatrix
Mitch Connors is a Sr. Principal Software Engineer at Aviatrix, and serves on the Istio Technical Oversight Committee. Over the past 17 years, Mitch has worked at Google, F5 Networks, Amazon, an Industrial IoT startup, and State Farm Insurance, giving him a broad perspective on the... Read More →
avatar for Bernard Van De Walle

Bernard Van De Walle

Traffic Engineering Lead, Splunk
Bernard is a traffic engineer at Splunk. He is leading the Istio and service Mesh efforts as part of the traffic engineering team. Before this, Bernard had experiences with operations for large scale deployments of Kubernetes and reverse proxies such as Envoy and Nginx.

L3toL7 MitchConnors BernardVanDeWalle pdf
Wednesday February 1, 2023 11:00am - 11:35am PST
Room 612
  Architecture + Identity + Multi-tenancy + Isolation

11:50am PST

On Establish a Production Zero Trust Architecture - Frederick Kautz, SPIFFE/SPIRE
Join Frederick Kautz in developing a sound strategy for a Zero Trust Architecture. We will start by developing a working definition of Zero Trust for inclusion in your organization's security policies, standards, and procedures. We'll then learn how to use various CNCF and other open source technologies to achieve this. The initial focus will be on cryptographic identities for workloads. We will then discuss defining controls that implement your organization's security policies. DevOps/DevSecOps organizational requirements must also be defined, including automation of the application and observability requirements to help your Security Operations Center know the health of your system and respond to threats. We will then discuss how to onboard legacy systems into your Zero Trust environment. Finally, we will have a short discussion on changing your organization's culture to adopt these technologies without bulldozing the valid concerns of your security experts or application architects.
Speakers
avatar for Frederick Kautz

Frederick Kautz

Director of R&D, TestifySec
Frederick collaborates on security and networking. He is on the SPIFFE Steering Committee, focusing on providing Zero Trust Workload Identity to compute workloads and resources. Frederick co-authored Solving the Bottom Turtle. He is a co-founder of OmniBOR and maintains the reference... Read More →

Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 612
  Architecture + Identity + Multi-tenancy + Isolation

11:50am PST

What's a Zero-Trust Tunnel? Exploring Security and Simpler Operations with Istio Ambient Mesh - Jim Barton & Marino Wijay, Solo.io
One of the most common drivers for service mesh adoption is security compliance. Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. Service mesh platforms like CNCF's Istio project are growing in popularity as a vehicle for meeting these challenges. In September 2022, Google and Solo.io announced the release of Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It delivers an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. This talk will review the new sidecar-less architectural option available with Ambient. We'll discuss the two new complementary layers: a zero-trust tunnel (ztunnel) that secures Layer 4 connectivity, and a waypoint proxy that delivers Layer 7 security policies and behaviors. A demonstration will illustrate how these new components work together in practice.
Speakers
avatar for Jim Barton

Jim Barton

Field Engineer, Solo.io
Jim Barton is a Field Engineer at Solo.io, a Cambridge-based company specializing in service mesh and Kubernetes-native API gateway technology. Jim’s career in enterprise software spans 30 years. He has enjoyed roles as a project engineer, sales and consulting engineer, product... Read More →
avatar for Marino Wijay

Marino Wijay

Developer Advocate, Solo.io
Marino is a Developer & Platform Advocate at Solo.io, EddieHub Ambassador, and KubeHuddle Organizer. He is passionate about technology and modern distributed systems that involve heavy networking. He will always fall back to the patterns of Networking and the ways of the OSI. Community... Read More →

Cloud Native Security Con Ztunnel Security pdf
Wednesday February 1, 2023 11:50am - 12:25pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

1:55pm PST

Cloud Native Security Landscape: Myths, Dragons, and Real Talk - Edd Wilder-James & Loris Degioanni, Sysdig; Kim Lewandowski, Chainguard; Isaac Hepworth, Google; Randall Degges, Snyk
The open source security landscape is moving fast, and affects you at all parts of the software lifecycle, from creating open source, to consuming it, to remedying vulnerabilities and detecting threats at runtime. The sheer number of moving parts represents great progress, but challenging when it comes to knowing what to prioritize. Do you like GUAC with your SLSA? Are you equipped to handle the latest OSS vulnerabilities? This panel will discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include * From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about? * It's about the people, naturally: we're being told to "shift left" security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works? * What is real, what is myth? The field is full of hot takes, from grand ideas that won't take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?
Speakers
EW

Edd Wilder-James

VP Open Source, Sysdig
Edd’s career spans open standards, open source, and data analytics, in roles covering technology, content, business, and strategy. At Sysdig, his team is committed to growing and investing in the open source security and observability stacks, including Falco, Prometheus and OPA... Read More →
KL

Kim Lewandowski

Founder and Product, Chainguard
Kim Lewandowski — Co-Founder and Head of Product at Chainguard — is an engineer turned product manager. She started her career in the security space working for Lawrence Livermore Labs, and most recently worked for Google. She launched a number of cloud enterprise products and... Read More →
avatar for Isaac Hepworth

Isaac Hepworth

Group Product Manager, Google
Isaac is a Google product manager working on software supply chain integrity within Google’s core infrastructure team, focusing on open source. In this role his work has supported Google’s contributions to OpenSSF's Sigstore, SLSA, and most recently GUAC. Over the last couple... Read More →
avatar for Loris Degioanni

Loris Degioanni

CTO, Sysdig
Loris Degioanni is the CTO and founder of Sysdig. He is also the creator of the popular open source troubleshooting tool, sysdig, and the CNCF runtime security tool Falco. Prior to founding Sysdig, Loris was one of the original contributors to Wireshark, the open source network analyzer... Read More →
avatar for Randall Degges

Randall Degges

Head of Developer Relations & Community, Snyk
Randall leads Developer Relations and Community at Snyk. He has been writing software for ~20 years and has an extensive background in building and growing technical products.

Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 608
  101 Track

2:10pm PST

⚡ Lightning Talk: Cloud(Security)Events -- A Lightweight Framework for Security Reactions - Evan Anderson, VMware
With many different sources of security information, making sense of it all can be daunting. CloudEvents is a lightweight standard for recording and routing event information of all types which is easy to extend and supported by a variety of existing tools. In this presentation, Evan will illustrate how CloudEvents can help tie many different security tools together, from proactive supply chain vulnerability notifications to real-time monitoring and reactive data collection. In less than 5 minutes, we’ll show how CloudEvents is useful as a storage format, a data interchange, and as a mechanism for triggering serverless functions to drive remediation of detected issues. In the end, you’ll discover that CloudEvents is not difficult or mysterious, but a helpful tool in the security toolbox for cloud-native practitioners.
Speakers
avatar for Evan Anderson

Evan Anderson

Stacklok
Knative founder and serverless enthusiast. Currently at Stacklok, previously at Google, VMware; recovering SRE. Dad of two. Ultrarunner. Vegan.

CloudNativeSecurityCon 2023 CloudSecurityEvents pdf
Wednesday February 1, 2023 2:10pm - 2:15pm PST
Room 602/603
  ⚡Lightning Talks, Detections + Incidents + Response

2:15pm PST

⚡ Lightning Talk: Securing Your Source Repositories - 5 Tips to Get Started! - Billy Lynch, Chainguard
Source Repositories are a critical piece of your software supply chain - they can hold deployment configs, application code, and much more! In this talk we'll cover key basics for getting started with securing repositories, how you can enable them in your own organizations, and next steps you can take.
Speakers
avatar for Billy Lynch

Billy Lynch

Staff Software Engineer, Chainguard
Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor and maintainer to the Sigstore, Tekton, and gittuf projects, and is the creator of Sigstore Gitsign.

Wednesday February 1, 2023 2:15pm - 2:20pm PST
Room 602/603
  ⚡Lightning Talks, 101 Track

2:45pm PST

Beyond Cluster-Admin: Getting Started with Kubernetes Users and Permissions - Tiffany Jernigan, VMware
We've all done it: working on our Kubernetes clusters with "cluster-admin" access, the infamous equivalent of "root". It makes sense when we're just getting started and learning about Pods, Deployments, and Services and we're the only one accessing the clusters anyway; but soon enough, we have entire teams of devs and ops and CI/CD pipelines that require access to our precious clusters and namespaces. Are we going to YOLO and give them our admin certificate, token, or whatever else we use to authenticate? Hopefully not! In this talk, we're going to look at how to implement users and permissions on a new Kubernetes cluster. First, we'll review various ways to provision users, including certificates and tokens. We'll see examples showing how to provision users in both managed and self-hosted clusters, since the strategies tend to differ significantly. Then, we'll see how to leverage RBAC to give fine-grained permissions to these users. We'll put emphasis on repeatability, seeing each time how to script and/or generate YAML manifests to automate these tasks.
Speakers
avatar for Tiffany Jernigan

Tiffany Jernigan

Developer Advocate, VMware
Tiffany is a senior developer advocate at VMware and is focused on Kubernetes. She previously worked as a software developer and developer advocate (nerd whisperer) for containers at Amazon. She also formerly worked at Docker and Intel. Prior to that, she graduated from Georgia Tech... Read More →

Beyond cluster admin Getting Started with Kubernetes Users and Permissions pdf
Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 608
  101 Track

2:45pm PST

Demystifying Zero-Trust for Cloud Native Technologies - Kishore Nadendla, TIAA; Mariusz SABATH, IBM Research; Asad Faizi, Eskala.io; Aradhna Chetal, CNCF Security TAG; Philip Griffiths, NetFoundry
A Cloud-native platform empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, distributed applications and services, and supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud-native network environments combined with the rapidly escalating and becoming nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. Adopting the Zero-Trust Methodology for cloud-native applications must be incorporated and aligned as part of the Cloud Native Maturity model. This panel discussion will focus on “Zero-Trust Principles, Concepts and implementation approach for cloud-native applications” for the organization's assets 1) User, 2) Devices, 3) Networking, 4) applications, 5) Data for the following Zero Trust building blocks and to provide implementation guidelines. 1. Identity - Device and Human 2. Policy - Administration and Enforcement 3. Continuous Assessments - Evaluations and Monitoring 4. Always secure
Speakers
avatar for Aradhna Chetal

Aradhna Chetal

Managing Director - Cloud Security; Co-Chair CNCF, CNCF Security TAG
Visionary & Dynamic CISO with demonstrated success in driving Cyber & digital transformation strategies. Implementing Security at speed of Cloud, Conveying complex security topics to a variety of audiences from CEO to security engineers & developers. Transformational management style... Read More →
KN

Kishore Nadendla

Sr Lead Engineering Manager - Cloud Security, TIAA
Mr. Nadendla is Sr Lead Engineering Manager at TIAA at Charlotte, NC. Being part of the Cloud Security team, he has been involved in many future state implementations with Cloud Native technologies with Secure Service Mesh , Zero Trust and Supply Chain Security using a Hybrid Clo... Read More →
avatar for Mariusz Sabath

Mariusz Sabath

Senior Software Engineer, IBM Research
Mr. Sabath is a Senior Software Engineer at the IBM T. J. Watson Research Center in Yorktown Heights, NY. Mr. Sabath joined IBM Research in 1997, and since then, he has led several development projects in the area of monitoring, reporting, and performance analysis. His research interests... Read More →
AF

Asad Faizi

Founder, CEO, Eskala.io
Seattle based entrepreneur and technologist, and founder of multiple startups. Over 20 years experience at senior level technical positions at large enterprises including Microsoft, PayPal, Intel Corporation and Netscape, and startups. 10+ years experience with Cloud and Cloud Native... Read More →
PG

Philip Griffiths

Head of Outbound Product and Evangelism, NetFoundry
Currently working as VP Global Head of Biz Dev for NetFoundry, to drive customer success and transformation by embedding private, Zero Trust, programmable networking into any cloud, device, host or application. Prior to this I was working as VP and GM EMEA, as well as EMEA Partner... Read More →

Wednesday February 1, 2023 2:45pm - 3:20pm PST
Room 602/603
  Security Education + Teaming

3:50pm PST

Security as Code: A DevSecOps Approach - Xavier René-Corail, GitHub
Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Finally, we share the lessons learnt from offering security advice to 6 open source projects that have joined our free office hours.
Speakers
avatar for Xavier René-Corail

Xavier René-Corail

Senior Director, Security Lab, GitHub
Hi! I'm the Senior Director of the GitHub Security Lab. My mission is to inspire the open source community, security researchers, and developers to secure open source software through better security practices. Prior to GitHub, I was the Head of Developer Advocacy at Semmle, acquired... Read More →

SaC a DevSecOps Approach pdf
Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 602/603
  Security Education + Teaming

4:40pm PST

Securing Diverse Supply Chains Across Interconnected Systems - Wayne Starr, Defense Unicorns & Aaron Creel, SpaceX
Working within large software systems can make it difficult to determine the full scope of software, libraries and tooling contained within a diverse set of components, often maintained across separate teams and departments. Security teams must become familiar with a wide range of packaging technologies and practices, and often manually aggregate information to make determinations on where vulnerabilities may be present and how to mitigate them. In this talk, we will share how SpaceX is solving this through a layered application of Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines. This integration has allowed them to reduce the cycle time for developers to respond to potential vulnerabilities, and allowed them to more efficiently prioritize how developers work across projects.
Speakers
WS

Wayne Starr

DevOps Engineer, Defense Unicorns
Wayne graduated from Rochester Institute of Technology in 2016 and commissioned into the United States Air Force, joining the Defense Innovation Unit. There, he worked as a security engineer for the first Air Force Software Factory (Kessel Run), helping reduce cycle time for delivery... Read More →
AC

Aaron Creel

Security Executive & Advisor, SpaceX
Aaron is a security executive with more than 20 years experience in compliance and security policy across both government and commercial sectors. He began his career in the US Coast Guard and has worked in a wide range of roles throughout the security domain, being selected as a Class... Read More →

securitycon aaron wayne pdf
Wednesday February 1, 2023 4:40pm - 5:15pm PST
Room 606/607
  Supply Chains
 
Thursday, February 2
 

11:00am PST

Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections - David Wolf & Joshua Smith, Devo
We analyzed more than 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. Our analysis set out to answer the question, where are enterprises investing in cloud controls, and where are the control weak points? Next, we applied the MITRE ATT&CK Cloud framework as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. By applying a novel approach to the verb and noun relationships of cloud infrastructure and workspaces, we were able to map attacker motives to actionable control stories in an approach that can be applied with any SIEM or big data solution powering the modern security operations center (SOC). Join us for a practical journey in learning how to strengthen the multi-cloud SOC, with lessons learned and actionable insights from a cloud detections engineering team.
Speakers
DW

David Wolf

Security Researcher, Devo
David Wolf is a security architect and innovation researcher at Devo. In his latest research, David uses machine learning and artificial intelligence to highlight the detection and response differences across enterprise cloud infrastructure and workspaces. Previously, David was a... Read More →
avatar for Joshua Smith

Joshua Smith

Security Content Engineer, Devo
Joshua is a passionate information security engineer and researcher that figures out how to get a system to behave in a way it was not supposed to do so as to help secure it from future threats. He has spent a vast amount of his career finding new ways to secure systems in order to... Read More →

Devo Cloud Native Security Conference pptx
Thursday February 2, 2023 11:00am - 11:35am PST
Room 612
  Detections + Incidents + Response
  • Content Experience Level Beginner
  • Presentation Slides Attached Yes

11:50am PST

Good Fences Make Good Neighbors: Making Cross-Namespace References More Secure with ReferenceGrant - Nick Young, Isovalent
The Kubernetes security model is very reliant on namespacing for enclosing trust boundaries. But what happens when an resource or set of resources need to cross those trust boundaries? How can we be confident that both parties in cross-namespace communications agree to the relationship between objects? In the SIG-Network Gateway API subproject, we've found that this is a little tricky. The answer is that both parties have to agree. The owner of the resources in the target namespace has to agree to someone outside their control accessing their stuff, and the resource that wants to refer to that stuff has to explicitly ask. Come and learn about the solution the Gateway API subproject of SIG-Network has put in place, the ReferenceGrant resource, how it works, and how it can be used to ensure that a cross-namespace reference is agreed to by both parties. We've also used variants of the same approach in other parts of the Gateway API, and this talk will explain those as well. You will come away with some knowledge both of the ReferenceGrant resource, the history behind it, and how it fits into the Gateway API.
Speakers
avatar for Nick Young

Nick Young

Senior Systems Engineer, Isovalent
Nick has been working to prevent the entropic downfall of systems for 20 years, across Windows and Linux, datacenters and clouds, networking, storage and compute. Currently he's a Senior Software Engineer at Isovalent, and a maintainer on the Kubernetes Gateway API project, where... Read More →

Good Fences Make Good Neighbors pdf
Thursday February 2, 2023 11:50am - 12:25pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation
  • Content Experience Level Beginner
  • Presentation Slides Attached Yes

1:55pm PST

Solving Multi-Service Without a Service Mesh - Evan Anderson, VMware
Kubernetes is famously a “platform for building platforms”. In this talk, we will un-pack the primitives Kubernetes provides for enabling microservices to securely communicate with each other without relying on a service mesh. Together, we’ll explore how technologies like NetworkPolicy, token projection, API gateways, cert-manager, and language runtimes play poorly or nicely together. We’ll cover authentication options, encryption, rate limiting, multi-tenant infrastructur eservices, and the interplay between L4 and L7 features with an eye on compliance as well developer ease of use. Drawing on his experience as Knative Security Working Group lead and background solving application runtime challenges on Kubernetes, Evan will teach participants about how to build without a service mesh, as well as a deeper understanding of the value that service meshes provide.
Speakers
avatar for Evan Anderson

Evan Anderson

Stacklok
Knative founder and serverless enthusiast. Currently at Stacklok, previously at Google, VMware; recovering SRE. Dad of two. Ultrarunner. Vegan.

CloudNativeSecurityCon 2023 MultiServiceNoMesh pdf
Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

1:55pm PST

The Four Golden Signals of Security Observability - Duffie Cooley, Isovalent
Migrating to Kubernetes has exposed significant gaps in the security observability of running workloads. This gap in visibility not only provides a major advantage to sophisticated threat actors; it provides a serious disadvantage to cluster operators as well. Without security observability, an attacker can achieve and maintain a persistent foothold in your cluster - indefinitely and invisibly. Observability tools today collect metrics and event data, but how do we provide insights into threat detection, or to help create a least-privilege security policy for your workloads? We’ll answer these questions by introducing the "Four Golden Signals of Security Observability." These signals are essential to understanding your cloud-native environment's behavior and include: 1. Process Execution 2. Network Sockets 3. File Access, and 4. Layer 7 Network Identity Using eBPF, we can provide native visibility in the kernel for your workloads and remove the visibility gap that cluster operators are challenged with by collecting security observability data. This talk will also provide a walkthrough of each of the "Four Golden Signals" to detect a real-world attack in real-time using eBPF-based open source tools, such as Cilium's Hubble and Tetragon.
Speakers
avatar for Duffie Cooley

Duffie Cooley

Field CTO, Isovalent
Duffie is Field CTO at Isovalent focused on helping enterprises find success with Cilium and modern security tooling. Duffie has been working with all things systems and networking for 20 years and remembers most of it. A student of perspective, Duffie is always interested in working... Read More →

Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 612
  Detections + Incidents + Response

1:55pm PST

Container Factory for Aerospace & Defense Enterprises - Sarah Miller & Melissa Robertson, Collins Aerospace
Learn how Melissa and Sarah are developing a container factory that helps Collins Aerospace software teams meet the governance and compliance rules and regulations for building safety and security critical software. Melissa and Sarah will go over the challenges they are facing and how they are overcoming some when working with compliance auditors. Sarah will share how Collins is looking to move cybersecurity authorizations from a risk management focus to an active cyber defense focus. Melissa will share how she has integrated auto-document generation for compliance reviews and a vision to transition to virtual dashboards. Their goal is to remove hardships from Collins Aerospace developers created by institutional practices by rethinking how compliance is achieved in cloud native environments.
Speakers
avatar for Sarah Miller

Sarah Miller

Sr. Technical Fellow, Collins Aerospace
Sarah Miller, PE, is a Sr. Technical Fellow in software engineering at Collins Aerospace currently leading the Digital Engineering transformation for Mission Systems. With over 25 years' experience, Sarah developed communications products specializing in cryptographic device embedment... Read More →
avatar for Melissa Robertson

Melissa Robertson

Sr. Software Engineer, Collins Aerospace
Melissa Robertson is a Senior Software Engineer developing container pipelines supporting DevSecOps in Mission Systems for Collins Aerospace. She has a BS in Computer Science from the University of South Alabama and has been working in the software domain for the past 13 years. She... Read More →

ContainerFactoryforAerospace&Defense pdf
Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 613/614
  GRC

1:55pm PST

Tutorial: Hands-on Hacking Kubernetes and Ways to Prevent It - Eric Smalling, Snyk
Vulnerability exploits too often seem like empty threats that our security teams warn us about but not something that would ever happen to my code! Join me in this hands-on workshop where we will walk through a remote code execution exploit and then talk about the steps you can employ that would mitigate the attack. If you want to participate in the hands-on hacking, a container runtime environment pre-installed on your laptop is encouraged. (i.e. Docker Desktop)
Speakers
avatar for Eric Smalling

Eric Smalling

Senior Developer Advocate, Snyk
Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer... Read More →

Thursday February 2, 2023 1:55pm - 3:20pm PST
Room 602/603
  Tutorials, Security Education + Teaming

3:50pm PST

When SysAdmins Quit: Protecting Kubernetes Clusters When the Owner of Multiple Admin KUBECONFIGs Quits - Arun Krishnakumar, VMware
Suppose there is a sysadmin who owns a few dozen Kubernetes Clusters. They have access to the VMs of the cluster. They also naturally have access to the admin KUBECONFIG files to each of the clusters. Suppose they quit and make a copy of these KUBECONFIG files. If the api-server of any of the clusters is accessible, there is a serious problem. Suppose there is a non-admin KUBECONFIG user and suppose they quit or change teams. We have a similar requirement of removing access to the cluster for that user as well. These are real world problems that are faced by customers who want us to provide guidance and best practices in this matter. Ideally we would like to revoke access to these users with minimal interruption to the cluster. In this talk we will discuss the problem of revoking access to clusters in general at both the admin level, and at the user level. This will include removal of access to resources of interest and the parts of the certificate chain-of-trust that need to be changed. We will discuss how our customers can make use of these schemes and cleanly remove users from the cluster. We will also discuss pre-requisites for setting up a cluster that is amenable to the solution, general gaps in our current implementation and in the general Kubernetes ecosystem as well.
Speakers
avatar for Arun M. Krishnakumar

Arun M. Krishnakumar

Cloud Architect, VMware Inc
Arun has been working with Kubernetes since 2016 initially building Data Science and ML platforms at a time when Docker would not always play well with Kubernetes and GPU support was new. Recently Arun has been at VMware working on a KaaS engine for their Multi-Tenant provider named... Read More →

CloudNativeSecurityCon 2023 ppt pdf
Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 609
  Architecture + Identity + Multi-tenancy + Isolation

4:40pm PST

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar-Hall & Jerod Heck, Lockheed Martin
Software Bill of Materials are being touted for tracking software build dependencies and security of a built application. Often delivered with built applications for transparency. In this talk we’ll explore a different use for Software Bill of Materials, where it is used as a packaging standard to validate and transfer assets across network boundaries. At Lockheed Martin, we’re using CycloneDX Specification to automate transfers into secure environments with strict controls to allow development teams to update build dependencies without network connectivity. We also use the CycloneDX Specification to create “seeding” deployments for Cloud Native infrastructure deployments. We’ll be demoing Hoppr, an open source tool with an extendable plugin architecture to do security validation and multi team transfers. It used CycloneDX SBOMs to collect items based on purls, run validation, and create transfers to be brought into these environments.
Speakers
JH

Jerod Heck

Software Factory Product Architect, Lockheed Martin
Jerod is a Product Architect at Lockheed Martin Software Factory focused on Automation and Software Supply Chain. His efforts revolve around encouraging adoption of new technologies and integrating them into the organization. He’s a part of the CycloneDX working group and has worked... Read More →
avatar for Ian Dunbar-Hall

Ian Dunbar-Hall

Software Engineer, Lockheed Martin
Ian is Chief Engineer for Lockheed Martin Software Factory and specializes in DevSecOps and Cloud Native Computing. He is responsible for technical direction for repeatable development processes and tooling that is leveraged by across the company to expedite software delivery. He... Read More →

Leverageing SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments pdf
Thursday February 2, 2023 4:40pm - 5:15pm PST
Room 612
  Supply Chains
 
  • Timezone
  • Filter By Date CloudNativeSecurityCon North America 2023 Feb 1 - 2, 2023
  • Filter By Venue Seattle, WA, USA
  • Filter By Type
  • 101 Track
  • Architecture + Identity + Multi-tenancy + Isolation
  • Badge Pick-Up
  • Breaks
  • Capture The Flag
  • ⚡Lightning Talks
  • Detections + Incidents + Response
  • GRC
  • Keynote Sessions
  • Security Education + Teaming
  • Solutions Showcase
  • Supply Chains
  • Tutorials
  • Content Experience Level
  • 🦝 TAG Security Recommended
  • Presentation Slides Attached
Filter sessions
Apply filters to sessions.
Wednesday, February 1
Thursday, February 2
6ABC Lobby
Halls 6CE
Room 602/603
Room 606/607
Room 608
Room 609
Room 612
Room 613/614
Room 615/616
Room 6AB
  • 101 Track
  • Architecture + Identity + Multi-tenancy + Isolation
  • Badge Pick-Up
  • Breaks
  • Capture The Flag
  • ⚡Lightning Talks
  • Detections + Incidents + Response
  • GRC
  • Keynote Sessions
  • Security Education + Teaming
  • Solutions Showcase
  • Supply Chains
  • Tutorials
  • Content Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate
  • 🦝 TAG Security Recommended
  • TAG Security Talk
  • Presentation Slides Attached
  • Yes