Cloud Native Computing Foundation / Cloud Native Security Conference North America 2021

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

As Strong As the Weakest Link: Securing the Software Supply Chain- Brendan O'Leary, GitLab

The Solarwinds breach is an event that we won't truly understand for some time - if ever. Several discussions we've been having in the abstract for years have become very concrete. The systems we use to develop, build and deploy our code are essential production systems. Securing the software supply chain is one of the most underrated security aspects today. All software today is built with dependencies. However, a discussion of these dependencies - both explicit and transient - as links in the software supply "chain" couldn't be more accurate. And the truth is, a chain is only as strong as its weakest link. In this talk, we'll examine the complexities and sophisticated tradecraft from the various supply chain attacks. We'll also explore securing the cloud native supply chain with CNCF tools from Helm & Distribution to Cloud Custodian & Porter. More importantly, we'll delve into the simple, practical security measures that can help prevent such attacks.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Change is Hard - Securing the Future Today- Andrew Clay Shafer, Red Hat

The future of security is here now, but isn't evenly distributed. Change is inevitable, but resistance to change may be even more inevitable. What can we do to help organizations overcome the resistance to improve? The social engineering to solve is at least as hard as the technical challenges. This presentation will mix research and anecdote to discuss security as a socio-technical system recognizing the agency of the humans involved in addition to the technology advances that are driving the state of the art to solve security problems more holistically from first principles.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cryptographic Signatures: A Building Block Not A Panacea- Marina Moore, NYU

Cryptographic signatures are a key piece of securing the software supply chain. They allow developers to attest that a piece of software is valid, and an end user to ensure that the software was not tampered with. In this talk, Marina Moore will talk about what cryptographic signatures do and don’t provide for a security ecosystem with examples of their effective use as a building block for existing cloud native supply chain security applications. She will also address some common pitfalls in the implementation of cryptographic signature systems.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Data Security and Storage Hardening in Rook and Ceph- Federico Lucifredi, Red Hat

This talk will be presented by Federico Lucifredi, but features his collaborative work with Ana McTaggart (Red Hat) and Michael Hackett (Red Hat).

We explore the security model exposed by Rook with Ceph, the leading software-defined storage platform of the Open Source world. Digging increasingly deeper in the stack, we examine hardening options for Ceph storage appropriate for a variety of threat profiles. Options include defining a threat model, limiting the blast radius of an attack by implementing separate security zones, the use of encryption at rest and in-flight and FIPS 140-2 validated ciphers, hardened builds and default configuration, as well as user access controls and key management. Data retention and secure deletion are also addressed. The very process of containerization creates additional security benefits with lightweight separation of domains. Rook makes the process of applying hardening options easier, as this becomes a matter of simply modifying a .yaml file with the appropriate security context upon creation, making it a snap to apply the standard hardening options of Ceph to a container-based storage system.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Data Security: Theoretical and Real World Approaches to Compartmentalization - Ana McTaggart & Michael Hackett, Red Hat; Sean Anderson, Portland State University

Using data on an untrusted cloud presents challenges to ensuring the security of computations, communication, and storage. Controlling the disclosure of information is a challenge, in both theory and in practice. In a theoretical model, a challenge is how to enforce and verify security mechanisms, particularly around disclosure of information. By applying formal methods from programming languages, security properties can be enforced on both storage systems and hardware. In a practical model, a challenge is how to ensure consistency and reliability across an untrusted cloud. The use of operators such as Rook allow container based storage for Ceph, with uniform security policies and automation of ops efforts towards resilience. The discussion will cover how theory and practice meet, and state of the art approaches to these problems. Collectively, this panel has worked on topics ranging from secure domain specific languages, to work on open source projects involving Ceph and RedHat, SUSE, and Ubuntu.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

It's Time We Start Securing Our CICD Pipelines- Shripad Nadgowda, IBM Research

Containers allowed breaking monolithic applications and business logic into modular components that can be developed independently and quickly. Such an accelerated development pattern then required a high velocity path from code to container that gave rise to innovation and automation in CICD pipelines. CICD pipelines aim to facilitate expedited DevSecOps functions like testing, security scanning and delivery of applications to cloud through automation. At the same time there is a growing open-source ecosystem around CICD technologies, where number of such functions are being made available ready-to-use, like tektoncd-catalog, GitHub Actions Marketplace for instance. As a result, our pipelines are also subjected to prevelant supply chain vulnerabilities, wherein some malicious open-source task could temper and compromise our whole pipeline. Thus, as we are building CICD DevSecOps pipelines for securing our application builds and delivery, our pipelines as-is can not be the root-of-trust. In other words, we need to make sure our CICD pipelines are “secure” at the composition to begin with and need to address security at multiple layers.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Leave it to the Machine - How to Leverage AI to Effectively Shift Left Security- Yuval Shchory, Head of Product Management, Check Point

Containerization and the empowerment of developer and DevOps teams have been one of the most productivity driving factors in today’s cloud life. Building a new n-layered application has never been so easy, and pushing from staging to production has never been so swift. But – where does this leave the security of these environments? Where does this leave the different security teams in terms of their ability to be proactive and timely responding to requirements by these newly established container-based applications?

This keynote will focus on how Machine Learning and Artificial Intelligence provides a means to “shift left” security capabilities as well shorten the time between n-layered application readiness for production and its actual production. See how by employing AI/ML, security teams will be no longer regarded as the bottle necks of the application world and will allow themselves to lead in the continuum of securing containerized application delivery.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Like a Magic Eye Illusion: Seeing the Bigger Picture for Cloud-Native Security- Kirsten Newcomer, Director Cloud Security, Red Hat

In recent years, the cloud-native community has successfully built a shared understanding of what is needed to effectively secure cloud-native infrastructure and applications. Contributions from SIGs, working groups, individuals, and CNCF members to key initiatives such as the Kubernetes security audit, industry benchmarks, and open source projects provide a foundation for tackling the various layers of cloud-native security, including approaches such as “shift left.” At the same time, the work required to adopt “best practices” and create alignment across teams can seem daunting for even the most seasoned security and DevOps teams. This session aims to help the audience get a better sense of the state of cloud-native security today. It will highlight the latest developments in Kubernetes and container security as well as where organizations have been more and less successful in adjusting security practices to be cloud-native. It will also share results from a recent industry survey on Kubernetes security, some of the biggest open questions for the community, and where we can expect to go from here.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Modern Least Privilege and DevSecOps - James Watters, CTO, VMware

Modern apps are more complicated than traditional apps—they have greater scale, change faster, and are more distributed (i.e., don’t have a traditional security perimeter). Although it may seem like this would make it more difficult to keep them secure in the long run, innovations in the cloud native space—such as automation—simplifies many aspects of security.

As the industry has increased the adoption of cloud native applications over the past decade, a clear set of best practices has emerged predicated on “least privilege.” Now, it’s time to dramatically improve enterprise application security by embracing a modern set of principles.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Not-So-Fantastic Leaks, and Where to Find Them In Containers- Alex Goodman, Anchore

Building images can be surprisingly difficult, particularly if you need to use packages or applications that are not open and publically available. It’s all too easy to end up with access tokens, credentials, or build artifacts left behind in non-obvious parts of an image. Once you have an image how certain are you that you’ve cleaned up properly and that it doesn’t contain any secrets? Does it have any vulnerable software packages? Is your base image hiding information or unexpected content from you? This talk will show you common pitfalls that lead to information being hidden within an image (either wittingly or unwittingly) and how you can be sure there are no lurking surprises in your image before you publish it. I’ll show how to automate these practices in a Tekton pipeline that both builds your image and acts as a quality gate for publication, because no-one wants to be the person with access keys sitting out in a registry.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Pinniped: A Unified Framework for User Authentication to Kubernetes Clusters- Mo Khan & Anjali Telang, VMware

If you are a Kubernetes Administrator, IT Administrator or Community User, who manages user access to multiple Kubernetes clusters, you not only understand the pain of configuring user authentication to multiple clusters, but also the pain of managing and supporting multiple Identity Providers (IDPs). For user authentication, there are various cluster providers that offer vertically integrated solutions but there is still a need for a generic solution that can work across kubernetes clusters. Further, many IDPs offer Web-based administration interfaces that are not command-line/kubectl friendly. In this talk, we introduce Pinniped, a One-size-fits-all, completely Open Source User-Authentication solution to all Kubernetes clusters! Our architecture is designed to not only support Day0 Ops for configuring clusters during deployments but also Day2 Ops for managing user access after clusters are deployed. During our session we will elaborate on the various configurations supported by Pinniped,such as multiple Identity Providers, multiple kubernetes platform providers and different deployment configurations (Edge, Core).

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Protecting the Omniverse: How NVIDIA is Securing Containers- Adam Wallis, NVIDIA

With growing use of Kubernetes, NVIDIA was increasingly delivering containerized software for external customers and internal applications. As a result, the NVIDIA Product Security team needed a scalable security process that would support diverse requirements across business units without slowing down development. They integrated security checks into their existing CI/CD Pipelines to find and fix security issues early. Session attendees will learn how NVIDIA uses open source security tools to transition to continuous container security for their Kubernetes workloads, including how to: - Automating security checks across multiple CI/CD toolchains, registries, and Kubernetes platforms - Decentralized security policies that empower development teams with the responsibility of resolving security issues - Delivering centralized reporting for business unit accountability - Providing a centrally hosted solution to support thousands of containerized apps, and hundreds of thousands of containers

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Replacing PSPs? Keep Bad Pods out of your cluster using Kyverno!- Shuting Zhao, Nirmata

Securing sensitive aspects of the Pod specification has always been difficult but it has become more challenging now with the deprecation of PodSecurityPolicy (PSP). So how can you continue to ensure that “Bad Pods” stay out of your cluster and don’t compromise the security posture? Kyverno, an admission controller, provides a Kubernetes native solution to set and validate security context, not only for pods but also for all the pod controllers. In addition to admission review, Kyverno can be run in audit mode. In this mode, Kyvero does not impact existing clusters but audits the cluster and reports any security violations in policy reports. Kyverno also provides the Command Line Tool (CLI) to support “dry run” so that you can easily execute policies in your CI/CD pipeline and generate reports without having to deploy Kyverno to your cluster. In this talk, Shuting Zhao will provide an overview of Kyverno and present a set of Kyverno policies for Pod that is based on Pod Security Standards. She will demonstrate how to generate policy reports for existing clusters. She will also demonstrate how Kyverno can enforce best practices for Pod security. Lastly, she will show how Kyverno can help add default security context to Pods and improve the security posture of your clusters.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

SBOM: The Rest Of the Story- Moderated by Emily Fox, Apple; Nisha Kumar, VMware; Allan Friedman, CISA

In a world of compliance requirements, security compromises, and ridiculously long dependency chains, three unlikely travelers cross paths to clear the smoke and mirrors around SBOM: the rest of the story. Our champions of security, compliance, and open source embark on an epic quest to seek truth, actionable software content, and considerations for implementation. They cross the sea of noise in search of the signal by which all of industry can overcome the mighty blight of supply chain insecurity. They wrangle the SBOM misconceptions, they drudge forward through the swamp of Sharing Uncertainties, and confront the beast of Secure Builds. Will they succeed? Will you walk away enlightened, empowered, and ready to tackle the dragons of consumption, risk, and friendship in the face of SBOM publication?

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing the Software Supply Chain with Open Source - Dan Lorenc, Google

The software industry is stepping up its response to securing the software supply chain but the challenges are still immense. A concerted effort is needed that spans companies, communities, and industries. Fortunately, many open source projects are emerging as part of the solution. Additionally, the Continuous Delivery Foundation hosts key CI/CD projects and has a mission to improve the world's capacity to deliver software with security and speed through communities of practice. This talk gives an overview of emerging open source projects & initiatives such as CDF and ways to get involved so we can all work together to accelerate securing the software supply chain.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security Chaos Engineering for Fun and Profit- Kennedy Torkura, Firebolt Analytics

The dynamic nature of cloud-native infrastructure requires continuous security mechanisms to effectively tackle security threats. However, cloud native infrastructure is complex and still emerging hence the security threats are barely understood resulting in successful attacks due to unknown attack patterns and behavior. In this talk, the innovative notion of Security Chaos Engineering (SCE) is introduced as a viable approach for enabling proactive cloud native security mechanisms for cloud native infrastructure. Essentially, SCE applies chaos engineering principles to cyber security such that defended environments are not just secure but also resilient to cyber-attacks. A major benefit is the derivation and use of instant empirical feedback loops that aid in verifying security mechanisms (e.g. tools) and expected properties (confidentiality, integrity and availability). Through the injection of controlled security faults (crafted as security hypotheses), deployed security mechanisms are properly analyzed, security blind spots are identified and remediated, thereby resulting in increased security and resiliency. Furthermore to previous presentations, this talks demonstrates SCE benefits including compliance monitoring, incident response and threat detection.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security TAG Closing - Dan Papandrea, Sysdig + STAG Leadership Team

We'll be wrapping up Cloud Native Security Con with a presentation from the Security TAG featuring highlights of their existing work, future work, and how to get involved.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Service Authentication - Tokens or Certificates?- Marc Boorshtein, Tremolo Security, Inc.

The audience for this talk is anyone that is interested in rolling out a services infrastructure. Authentication is generally offloaded to the infrastructure, rather then handled by individual services (or at least it should be). In addition to the daunting number of decisions to be made at the service layer for configuration, authentication is often one of the hardest because it bridges both technology and business requirements and control of decisions may fall outside of the implementer’s ownership path. Having a roadmap for how to choose the right mechanism can either free or hamper implementation and future expansion because it is so foundational to the security of a service.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Strengthening Supply Chain Security By Enforcing Policies Using OPA Gatekeeper on Kubernetes- Rita Zhang & Sertaç Özercan, Microsoft

Open Policy Agent (OPA) Gatekeeper is a general-purpose policy engine for Kubernetes and provides various means to validate and mutate Kubernetes resources to enforce policies. In many of these scenarios, this data has to be either built-in, static or user-defined. However, to strengthen supply chain security this data needs to be dynamic, and is usually stored in external services, such as container registries. With Gatekeeper external data feature, Gatekeeper offers a provider-based model to enforce policies to strengthen supply chain security by validating artifacts like checking for image vulnerabilities, image signatures, software bill of materials (SBOM). In this talk, we are going to talk about how OPA Gatekeeper can be used to enforce policies to validate container images and secure your Kubernetes cluster.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Supply Chain Security Reference Architecture- Priya Wadhwa & Alex Marshall, Security TAG

Security TAG will provide a brief presentation of the supply chain security reference architecture. This reference architecture is for developers and operators to experiment on how to build and implement a secure, zero-trust supply chain for their organizations given the existing tooling available to the community.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

The Long and Windy Road that leads to Cloud Native Security- Frederick Kautz, Sharecare

Establishing and maintaining a Cloud Native Security policy is more than just installing tools and configuring Kubernetes. A solid security stance requires buy-in from the top leadership down to those implementing and using the system. Obtaining buy-in requires understanding the drivers that motivate Infosec's governance, risk management, and compliance. In this talk, Frederick will discuss how information security programs are structured and how to engage with the organization effectively to establish a scalable Cloud Native Security program. Frederick will discuss topics such as: What is Infosec? How does Infosec interact with the rest of the organization? How do these interactions translate to the procedures we use to defend our systems? Where do these procedures even come from? How do we collaborate with Infosec to help improve the company's security posture? How do we enlist Infosec as allies in our Cloud Native Journey? Finally, Frederick will discuss how to get involved with upstream communities which provide guidance, such as the CNCF Security TAG's Security Controls Catalog.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

The State of Vulnerability in Cloud Native Security- Magno Logan, Trend Micro

This talk aims to present the research results analyzing all the vulnerabilities reported from previous cloud native tools security audits and publicly known vulnerabilities reported by third-party directly to the project maintainers. We’ve bundled and analyzed all these vulnerabilities from different projects such as Kubernetes, Helm, etcd, gRPC, CodeDNS, and many others until July 2021. The goal was to understand the most common issues and most critical risks found in those tools. Furthermore, we wanted to know why they happen, try to prevent them from happening in the future, and at the same time raise awareness for users and organizations using those projects about the risks associated with using these tools in their environment. A PDF report with all the data and findings will be released to the audience with this presentation.