Cloud Native Computing Foundation / Cloud Native Security Day EU 2021

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

A First Look at the Security of Serverless Applications - Eduard Marin, Telefonica Research

Serverless computing is emerging as a new paradigm to deploy applications in the cloud, offering many advantages to cloud providers and their customers. Customers only have to be concerned about implementing their functions, leaving the management of the underlying hardware and software to cloud providers. Consequently, cloud providers are responsible for developing all security mechanisms to protect serverless applications from security attacks. Unfortunately, as serverless computing is a relatively new concept, its security has not yet been properly examined. In this talk, Eduard will shed light on the unique security threats and challenges of serverless platforms. Building on academic and industry research, Eduard will introduce the main types of security attacks against serverless applications along with the feasibility of realizing such attacks, and possible ways to mitigate them.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Beyond signatures: Using TUF and Notary to Secure Software Distribution - Marina Moore, New York University

The Update Framework (TUF) provides a unique level of protection against attacks on software distribution and updates. Marina Moore will discuss how TUF can ensure secure distribution for registries. She will present an adaption of TUF for use with the Notary v2 project that addresses diverse secure distribution use cases unique to the registry ecosystem.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Capture The Flag Summary + Wrap UpVirtual - Andrew Martin, Lewis Denham-Parry

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Integrating Security in the Build Pipeline - Anirban Saha, Allianz Direct

With infrastructures and platforms going cloud native, there are greater security risks now than ever before. In the build and release workflow, often the focus on security comes at a very later stage and sometimes unfortunately, it does not happen at all due to lot of constraints. In this session, Anirban Saha will demonstrate security can be integrated in the build and deployment pipeline and address the problems early in the process. He will stress on the factors that can be problems in achieving this objective and how to go about solving them. He will also discuss the different vulnerability points that can and need to be considered when designing the solution. He will also demonstrate situations where deployment decisions can be made depending on the security status of the artifacts thus eliminating the need for post deployment measures to tackle security flaws.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: CloudNativeDevSecOps - Hillel Solow, Cloud Innovation Architect, Check Point Cloud

It’s high time developers took responsibility for securing their applications, wherever they run, but Cloud Native applications provide both unique challenges and opportunities to make this transition. In this talk, we will discuss some of the ways that developers can lean in and make a huge impact on application security in the cloud.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Modern Least Privilege with DevSecOps - James Watters, CTO, VMware Tanzu

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Securing Open Source - David A. Wheeler, Director, Open Source Supply Chain Security, The Linux Foundation

The subversion of SolarWinds’ Orion build system, dependency confusion attacks, and event-stream's subversion make it clear that attackers can successfully attack systems by attacking their supply chains, and attackers have not stopped attacking vulnerabilities in software developed & deployed. This talk will briefly discuss the software supply chain environment, some countermeasures, and some ongoing activities to reduce risks from software vulnerabilities and the software supply chain. The good news is that there are ways to counter such attacks, but they will require changes in how we do software development, selection, and deployment.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Supply Chain: The New Threat Vector in Cloud Native Security - Ali Golshan, Co-founder and CTO, StackRox now Red Hat

At its core, cloud native technologies are heavily dependent on community contributions and developers. As a result, the final stack of tools most organisations run in production are assembled from a series of assets that have been developed outside the organisation. The security and trust in supply chain matters now more than ever. We will discuss how the attack surface in cloud native has shifted from the traditional vectors to the supply chain as well as open source resources, and what we as a community need to do to reduce this risk.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Capture The Flag Overview - Andrew Martin & Lewis Denham-Parry, Control Plane

Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

Note: Registration for Cloud Native Security Day Europe is required to participate in Capture The Flag.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Challenges in Cloud Native Forensics - Andrew Krug, Datadog

As more companies have gone cloud native the focus on resilience has largely focused on detection and speedy recovery. These are only two tactics that should be in the defense toolbox. Forensics is a discipline that has arguably suffered as log volumes and DevOps culture has become more normative. In my session, I’ll demonstrate where the gaps exist and how the ecosystem could improve capabilities around the art of forensics.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Computing Confidentially in the Clouds - Aeva Black, Azure Confidential Compute, Microsoft

A cloud is just someone else's computer -- someone that you trust in ways you may not even realize: to patch their infrastructure against the latest threats, to keep your data in the right country, and to only access it in legally compliant ways. What if you didn't have to trust them? What if you could audit the integrity of their systems at any time, isolate your work from cloud admins, and guarantee your data is processed only when and where you want? Sounds good, right? With new hardware coming online in all major cloud providers, Confidential Computing promises to alter this trust relationship - but the tech stack is still young, and it isn't integrated in cloud native yet. In this session, Aeva Black will present a vision towards this goal, introduce a few open source projects which facilitate it, and hold space for a discussion of future work.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: It’s pronounced ‘DevOps.’ The ‘Sec’ is silent. - Dormain Drewitz, VMware Tanzu

A common roadblock in realizing DevOps outcomes is security. In this lightning talk, hear how the security landscape has changed and is forcing a DevSecOps mindset to achieve DevOps outcomes.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Kubernetes Risk Assessment: Time to go one level deeper - Ariel Shuper, Cisco

At present, the common Kubernetes risk assessment framework is based on the popular CIS benchmarks for Kubernetes. This framework consists of a comprehensive set of tests covering all the Kubernetes elements' configuration. But the framework doesn't go deeper than the security configurations of the various elements. Real attacks can start by multiple elements expanding beyond security misconfigurations. Moreover, in the popular managed Kubernetes services (e.g., EKS, AKS or GKE), running these tests can be challenging. Hence, there's a need for an additional risk-assessment framework that can go deeper than the Kubernetes configurations, verifying that all other attack methods, steps, and stages are covered. This talk will show a new industry-driven framework led by MITRE crafting an ATT&CK matrix for containers/Kubernetes, which consist of tactics and techniques used in real attacks

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Namespaces-as-a-Service with HNC and Kyverno! - Jim Bugwadia, Nirmata & Adrian Ludwin, Google

Kubernetes namespaces provide a strong security boundary and allow sharing cluster resources to reduce costs and increase efficiencies. However, enabling secure self-service namespaces is complex. In this session, Jim and Adrian from the Kubernetes Multi-Tenancy Working Group will demonstrate how the Hierarchical Namespace Controller (HNC) and Kyverno can be used together to enable “namespaces-as-a-service” for enterprise teams. First, Jim will show Kyverno how it can automate fine-grained permission management, enforce security, and generate default configurations. Next, Adrian will discuss how HNC makes it easy for developers to manage additional sub-namespaces without requiring cluster-admin privileges. They will then show a live demonstration of using the two CNCF projects together to enable self-service for namespaces without compromising security.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Securing CI/CD Infrastructure for Tinkerbell - David McKay, Equinix Metal

Tinkerbell, a CNCF sandbox project, has some pretty unique CI/CD needs. As a bare metal provisioning system, CI/CD involves running servers for DHCP, iPXE, virtual machines with QEMU, and a few others bits and pieces. This use-case is not natively supported by most CI/CD SaaS vendors. To tackle this, the Tinkerbell team has automated the management and provisioning of their own CI/CD runners using a collection of off-the-shelf tools. You will learn how Tinkerbell secured their unique infrastructure and how to approach securing your own CI/CD stack. We will demonstrate Tinkerbell’s provisioning tools and dive deep into how they were configured for security. The same tools are publicly available and could be used in your own CI/CD setups. You will also learn how to secure engineer access to your infrastructure without getting tied to a single cloud provider.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Weaviate Vector Search Engine - Enhancing Cybersecurity - Bob van Luijt , SeMI Technologies

This talk is an introduction to the vector search engine Weaviate. You will learn how storing data using vectors enables semantic search and automatic data classification. Topics like the underlying vector storage mechanism and how the pre-trained language vectorization model enables this are touched. In addition, this presentation consists of live demos to show the power of Weaviate and how you can get started with your own datasets. No prior technical knowledge is required; all concepts are illustrated with real use case examples and live demos. Although Weaviate could be applied in a broad set of use cases, Weaviate has high potential in cybersecurity. Automatic classification of attacks, clustering of incoming threats, and better search through data in the security realm could improve the cyber security of systems and assist security analysts in analysing and preventing attacks.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Secure Code Development and Lessons Learned from etcd Security Audit - Sahdev Zala, IBM & Hitoshi Mitake, Indeed

When it comes to the importance of writing secure code, it gets a unanimous vote. This is even more important for an open code. Checking the security of your code needs manual steps as well use of automated tools. As project maintainers for the etcd project, we recently led a third party security audit of etcd code. In this talk, we will share our experience of what are the common areas in code that get overlooked and pose a security risk from general weaknesses to critical threats. We will also provide a walk-through of security vulnerabilities that were reported from the audit work.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing the Software Supply Chain with the in-toto and SPIRE projects - Cole Kennedy & Mikhail Swift BoxBoat Technologies

A software supply chain is the set of steps required to test, build, deploy, and assure a software release. Verification of the build policy through a cryptographically attestable process is required to give software artifact consumers the confidence to install software releases on mission-critical systems. In this talk, we will discuss the current gaps in the open-source eco-systems and demonstrate a cryptographically attestable software pipeline with automated certificate issuance.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security Nutrition Labels for Cloud Native Projects - John Kinsella, Accurics

“Nutrition labels” are becoming popular in technology; Apple and Google are using them for privacy, and others are researching their value for communicating the state of privacy and security in IoT devices. In the open-source and cloud native ecosystems, we as developers frequently create software without clearly communicating what it does from a security point-of-view – leaving users to reach their own conclusions on what risks a project may introduce. In this talk, John describes a framework for how an open-source project could define and publish their security nutrition label that allows users to quickly understand the security implications of using or running that software project.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Welcome + Opening - Andres Vega, Event Chair & Itay Shakury, Member, Cloud Native Security Day Program Committee