Cloud Native Computing Foundation / Cloud Native SecurityCon EU 2022

CTF Overview and Experience - Lewis Denham-Parry, Control Plane

Prepare yourself for tomorrow's CTF event with a warm-up session based on introductory SecurityCon CTF events. All experience levels are welcome!

Learn how to engage with confounding container breakouts, confusing Kubernetes misconfigurations, and the art of engaging with CTF events to prepare yourself for the high-flying no-holds-barred super-inverted gravity-defying capture the flag event at SecurityCon tomorrow!

Closing + CTF Wrap Up- Brandon Lum, Google; Andy Martin, ControlPlane

Co-Chair Update- Ragashree MC [Program Committee Member]

Deep Dive: Serverless Security (STAG Presentation) - Moderated by Andrew J Krug, Datadog; Ragashree M C, Nokia; Ashish Rajan, CISO & Ariel Shuper, Cisco

Serverless encompasses many different facets and technologies in its creation, use, and execution. Serverless computing available by a provider permits the execution of a piece of code by dynamically allocating resources and adhere to a consumption based pricing model. These snippets or sections of code are called “functions” and can serve multiple needs as identified in the newly released CNCF Serverless Whitepaper, first available at KubeCon EU 2022. Over the past 6 months the CNCF Security Technology Advisory group has been working on a platform independent whitepaper on serverless security. This whitepaper incorporates the industry experience of STAG members alongside industry standard best practices. Join Ashish Rajan and Andrew Krug for this panel discussion with STAG whitepaper authors. We'll discuss what's changed since the last whitepaper was released and predict a few things about where serverless security is headed.

Dissecting the Discovery of the 0-Day Supply Chain Vulnerability in Argo CD - Moshe Zioni, Apiiro

The Security Researcher who discovered the 0-day vulnerability in Argo CD (CVE-2022-24348) will walk through the details of the vulnerability and the process that led to the finding. The discussion will include a deep-dive into: * How an attacker could circumvent Argo CD’s defenses to exploit the vulnerability and steal sensitive information * Remediation steps, and * Why the vulnerability matters to the ecosystem.

First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs, Aqua Security

A key element of successfully integrating security into the DevOps lifecycle is embedding it right from the start. Helping developers and operators build security controls in from day-one with easy to use open source tooling can make that a reality. This workshop will take a hands-on approach to demonstrate how to install, configure and customize open source security tools to be used throughout the DevOps process. The workshop will focus on a couple of core tools. Firstly understanding how Trivy can be used to help secure container images, Dockerfiles, Kubernetes manifests and IaC code such as Terraform. Then the workshop will move on to operationalizing security controls using Starboard to automate the operation of Trivy and other security tools, providing continuous security assurance of workloads and Kubernetes clusters.

Fuzzing the CNCF Landscape - Adam Korczynski & David Korczynski, Ada Logics

This talk presents Adam’s and David’s experience with fuzzing more than ten projects in the CNCF landscape over the last year resulting in more than hundred bugs filed and fixed. For each of the projects, the goal was to integrate fuzzing such that the project would be continuously fuzzed by the free fuzzing service OSS-Fuzz. The projects which will be discussed in the talk include Kubernetes, Argo, Etcd, Containerd, Vitess, Linkerd2-proxy, runc, Flux and more. In this talk Adam and David will present a holistic view on this CNCF fuzzing experience and the focus will be on the technical challenges and results.

Keynote: DevSecOps and the Art of Not Ending Up On the Front Page- Fabio Rapposelli, VMware Tanzu

DevSecOps is the seamless and transparent integration of security into emerging agile IT and DevOps development. Ideally, this is accomplished without reducing developers' agility or speed or requiring them to leave their development toolchain environment.
The SolarWinds Supply-Chain Attack is one of the most dangerous in recent memory. The malware was distributed as part of an update and was digitally signed by a valid digital certificate containing the company's name.
The software bill of materials (SBOM) is gaining new attention and notoriety in the aftermath of SolarWinds. Requiring SBOMs for all software entering your pipeline has become common sense. And in some cases it’s a mandate. For example, Executive Order 14028 requires an SBOM for all federal software procurements in the United States.
At the moment, less than half of companies create SBOMs for their software, and accountability for SBOMs appears to be lost in a rush to deliver new software.
Understanding which components are included in applications is critical for proactive vulnerability management. The SBOM is a versatile and adaptable approach that can be easily tailored to specific use cases. What should you put in SBOMs for software applications that your company makes, buys, or consumes?

Keynote: Evolutions in data privacy: threats and opportunities -Kirsten A. Newcomer, Red Hat

Encryption is key for data confidentiality in cloud native solutions. This talk will focus on the future of encryption to ensure confidentiality while also enabling collaboration across data sets to advance solutions in areas such as health care. We’ll take a look at the opportunities that homomorphic encryption offers as well as the likely impact of post-quantum cryptography on securing data on cloud-native platforms and applications.

Keynote: Why Wait? Find Cloud Risks and Threats in Real Time with Stream Detection- Loris Degioanni, Sysdig

Cloud service providers offer cost-effective and efficient collection and storage of cloud logs, which is a rich source of data for devops and security teams. Copying logs out of the cloud to query them later is expensive and complex to manage. With stream detection you can find risks and threats in real time and fix issues faster while saving time and money.

Loris will share how you can utilize Falco's real-time telemetry in your cloud-native environment to enable smarter alerts faster and stay ahead of bad actors and malicious attacks.

Lighting Talk: Lessons Learned from Writing Thousands of Lines of IaC - Eran Bibi, Firefly

Immutable architecture is the backbone of infrastructure as code & cloud native operations, to ensure production environments cannot be changed during runtime. While this has the benefits of its inherent safety measures, this can also be restrictive, all while creating new challenges for security. Immutable concepts are much more effective when it comes to securing cloud native environments and infrastructure, which is becoming an increasingly more complex task. This talk will focus on some of the fundamentals of immutable architecture, best practices and recommended design patterns to work around its limitations and enhance security, as well as what you most certainly should not be doing when running immutable architecture both from an infrastructure and security perspective. This will be demonstrated through a real-world example of deploying a single-tenant SaaS in an automated pipeline, typical challenges encountered, and what was learned on the way, through a Terraform, Kubernetes and step functions example.

Lightning Talk: Knowing Your Serverless Functions: Signing and Verifying Serverless Functions with Cosign - Ariel Shuper, Cisco

the security of software supply chains is extremely important. Malicious attacks on the software supply chain are an ever-present threat that can cause extreme damage. An increasing popular method to secure software supply chain is by creating a cryptographic evidence that the author of the code is who they say they are; based on them having access to the trusted private key and the content has not been changed since. Kubernetes provides a great infrastructure to complement code "signing" with a validation step that ensures signing prerequisites where met and only "signed" images are deployed. An admission controller can use ValidationWebHook and MutatingWebHook to verify deployments of "signed" images only. But what about Serverless functions? how can users validate their code was changed/ tempered before or after it was uploaded to their cloud account? In the absence of the admission controller equivalent how users can stay protected? In this talk we'll demostrate how to use and operate code-signing for serverless function using Cosign project and how to validate that only signed functions are being used in the cloud account (leveraging available tools).

Lightning Talk: Repurposed Purpose: Using Git's DAG for Supply Chain Artifact Resolution - Aeva Black, Microsoft

What if we could know the complete and reproducible artifact tree for every binary executable, shared object, container, &etc – including all its dependencies – and you could efficiently cross-reference that against a database of known vulnerabilities? If you had had that information, could you have remediated Log4Shell faster? Might it even help open source maintainers identify at-risk dependencies sooner? If you're thinking, "this sounds too good to be true - what's it going to cost?", then we really hope you’ll join us because we believe this should be an automatic part of open source build tools. In this talk, Aeva and Ed will share why they're so excited about GitBOM and explain what it is (hint: it's not git and it's not an SBOM). If the demo gods are willing, they will show you how you can generate a GitBOM with a simple command-line tool, and explain why you won't have to.

Lightning Talk: What Have We Learned from Scanning Over 10K Unique Clusters with Kubescape? - Shauli Rozen, ARMO

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. In the last 6 months, Kubescape scanned over 10K unique clusters and we learned a great deal about the state of Kubernetes risk, compliance, and security vulnerabilities. In this session, Shauli Rozen, ARMO CEO &Co-Founder, will share interesting insight on why and where Kubernetes deployments are failing, the weak spots, and how to get better. He will share some interesting statistics on which controls fail most and where and what are measures to take in order to prevent them.

Lightning Talk: What’s Inside Your Container Image? How to Audit All the Dependencies in Your software Supply-Chain. - Steve Judd, Jetstack

This year has seen much focus on software supply chains and how organisations can move towards a zero trust approach, especially with regards to the 3rd-party artefacts they depend on. Yet a security gap still exists that is preventing organisations from knowing the provenance of their 3rd party software components. This is because the vast majority of build systems (both cloud-hosted and on-premise) do not directly provide the features necessary to achieve even the minimum SLSA Levels. This talk will describe how Jetstack worked with Improbable Defence to design and implement a framework to evaluate all the Images in use across all environments, and seamlessly map each one to known associated vulnerabilities and open-source licences. Assessing Images in this manner has allowed Improbable Defence to keep an accurate inventory and implement admission policies to prevent Images that don’t meet their risk posture from being used. The result is a fine-grained operational security framework which profiles the provenance of each 3rd party component and builds a comprehensive security posture across the supply chain.

Lightning Talk: lockc - Containing the Containers That Do Not Contain - Michal Rostecki, Deepfence Inc

lockc is open source software for providing MAC (Mandatory Access Control) type of security audit for container workloads, written in Rust in C (soon to be written fully in Rust). The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about host OS and provide ways to "break out" from the container. lockc aims to provide more isolation to containers and make them more secure through policies enforces in the kernel. The main technology behind lockc is eBPF - to be more precise, its ability to attach to LSM hooks. This talk will also mention Aya and the ability to write eBPF programs in Rust.

Lightning Talks: Detecting Data Exfiltration on the Edge with Pixie - Zain Asgar, New Relic

Detecting data exfiltration in your Kubernetes cluster is important but hard. Capturing the right data, especially encrypted data, in order to perform the analysis can be a hassle. Additionally, it can be a non-starter to export sensitive requests outside of the cluster to perform this analysis. In this lightning talk, you’ll learn how Pixie (an open source, CNCF sandbox project), can be applied to attack this problem. Pixie’s auto-telemetry, in-cluster edge compute, and scriptability make it a powerful tool for anyone looking to identify data exfiltration attacks in their cluster. We’ll show a demo which will also be open source for attendees to reference later.

Opening and Introductions- V Körbes, VMware

Protect the Pipe! A Policy-based Approach for Securing CI/CD Pipelines - Shripad Nadgowda, IBM Research & Jim Bugwadia, Nirmata

Modern applications are composed of hundreds of packages and delivered to production via automated CI/CD pipelines. With rapid delivery comes the growing risk of attacks, vulnerabilities, and misconfigurations. Protecting these critical assets requires policy-based controls for CI/CD pipeline composition, configurations and execution. In this session, Shripad and Jim will present a cloud-native security framework for Tekton pipelines using in-toto, Kyverno and sigstore. They will discuss the unique security challenges for CI/CD pipelines, and then demonstrate the use of open-source tools to attest and verify each pipeline resource and execution step using declarative policies.

Purple Teaming Like Sky’s the Limit – Adversary Emulation in the Cloud with Stratus Red Team - Christophe Tafani-Dereeper, Datadog

Engineering and Security teams are increasingly operating in the cloud. With that comes the need to identify malicious activity in cloud-native environments such as AWS or Kubernetes. In this context, it’s critical that we ask ourselves: what does malicious activity look like in the cloud? What are common attacker and malware tactics we should prioritize detecting? How do we reproduce these against a live cloud environment, in order to validate our logging and threat detection pipelines? In this talk, we’ll present Stratus Red Team: an open-source project for adversary emulation and validation of threat detection in the cloud. We’ll discuss the motivation behind the project, the journey and design decisions behind it, but also the philosophy we stand for: focusing on documenting and emulating real-world, documented, and sighted attack techniques. We’ll conclude by a live demo where we use Stratus Red Team to detonate attack techniques against a live AWS account. https://github.com/DataDog/stratus-red-team

Putting the Supply Chain Pieces together: A Deep Dive into the Secure software Factory - Michael Lieberman, Citi

In this deep dive on supply chain security Michael Lieberman will go into a deep dive on an implementation of the CNCF's Secure Software Factory reference architecture. The talk will discuss the holistic nature of the supply chain security problem space and how the reference architecture highlights the software provenance gap that many projects and organizations trying to improve their security posture have. Michael will show how cloud native tools, configured and implemented in the right ways, can help in providing reliable provenance while increasing the trustworthiness of the artifacts you build. A system built on top of tools like Kyverno, Tekton, Chains, Spire and Sigstore will be shown how they can be tied together to build software that hits high SLSA levels.

Real Time Security - eBPF for Preventing attacks - Liz Rice, Isovalent

eBPF is used in several cloud native security tools. In some respects it is already being used for preventative security: - Cilium uses eBPF to enforce NetworkPolicy - Default seccomp profiles - more properly called seccomp-bpf - limit the system calls that applications can use When it comes to runtime security, Falco today uses eBPF to detect suspicious application behavior, but this isn’t preventative - it generates alerts that are used asynchronously to react to malicious events. Is this really the best we can do with eBPF? The answer is a resounding “no”. In this talk we’ll dive into demos and code to explore how eBPF can be used for the next generation of security enforcement tooling. This talk will cover: - Why enforcing NetworkPolicy with eBPF has been in place for years, but preventative security for applications has taken longer - How Phantom attacks can compromise the use of basic system call hooks - How other eBPF attachment points, such as BPF LSM, can be used for preventative security You don’t need to know about eBPF to get the most out of this talk, but you will need a basic understanding of kernel and user space, and a willingness to see some C code.

Securing the Supply Chain with Witness - Cole Kennedy, TestifySec

Witness is a new open-source modular framework for supply chain security. Witness works by making collections of attestations that are bound to the CI process. These attestation collections give administrators trusted sectors on which to enforce policy no matter where the policy enforcement point is. Witness is an implementation of in-toto and integrated with cloud-native security tools such as rekor, spire, cosign and Kubernetes. In this talk we will describe the witness trust model and offer a demonstration of implementation in a CI pipeline.

Security Champions: The What, Why, and How - Ann Marie Fred, Red Hat

Known vulnerabilities are a fact of life, especially with open source software. Cyber Security Intelligence tracked over 18,000 CVEs and at least 66 Zero-Day Vulnerabilities in 2021. According to the Sonatype 2020 DevSecOps Community Survey, 24% of organizations surveyed revealed a breach within one of their web applications in the prior 12 months. The average cost of a data breach was $4.24 million, according to the IBM 2021 Cost of a Data Breach Report. The only way to keep up with the fast pace and demands of cybersecurity today is to scale up the security expertise of your technical workforce. This talk explains why setting up a Security Champions program is such an important part of an overall cybersecurity strategy. Then it goes into detail on how to get your own Security Champions program running, the realistic costs of such a program, and what benefits you can expect from it.

Shrinking Software Attack Surface with WebAssembly & CNCF Wasmcloud - Liam Randall, Cosmonic

WebAssembly is poised to fundamentally transform the development of both browser and server-side development. The virtualization of the CPU, OS, and cloud with hypervisor, containers, and Kubernetes each marked epochs of technology that ushered in emerging trends in software architecture, design, development, operation, and life cycle management. In this session, we highlight the development and advantages of WebAssembly and the CNCF wasmCloud Application Framework. WebAssembly marks the next wave of cloud-native evolution. In this demonstration heavy session, we highlight 3 main advantages driving the adoption of these technologies focusing on the security impacts: 1. With WebAssembly's virtualization of the application, we demonstrate portability across diverse CPUs, clouds, Kubernetes distributions, edges, and web browsers. 2. Through a capability-driven sandbox we demonstrate a security model that is sandboxed, portable, and consistent across the diverse execution environments. 3. With wasmClouds actor model we demonstrate a streamlined approach to managing the software supply chain by virtualizing the use of non-functional requirements and common open source libraries.

TUF Maintainer Panel Discussion - Moderated by Andrew Krug, Datadog; Asra Ali, Google; Marina Moore, NYU; Trishank Karthik Kuppusamy, Datadog; & Jussi Kukkonen, VMware

Join us for a panel discussion with maintainers from across The Update Framework’s projects to learn about new and upcoming TUF integrations and enhancements. The TUF specification provides compromise resilient security for software update and distribution. It has implementations in python, go, and rust that have been used in production by organizations like Datadog, AWS BottleRocket, Google Fuchsia, and Sigstore. Panelists will provide insight into the state of the project, how TUF can be used to improve supply chain security, and behind the scenes perspectives on integrations with Sigstore and PyPI. The panelists will also speak on unique challenges around maintenance, vulnerability disclosure and consumption of an open source project with multiple implementations.

The Unexpected Demise of Open Source Libraries - Liran Tal, Synk

Hello there dear developer building your app on open source dependencies. Oh wait, did you think open source code lives forever? Think again! Did you hear about the maintainer discontinuing a library despite having tens of millions of downloads? What about a maintainer who intentionally introduced code to break the functionality of his package which receives millions of downloads? So, did you ever wonder why dependencies die? Join me on a journey full of humor and horror across real-world incidents to learn how even the mightiest of open source projects got defeated. What can we learn from past incidents on the continuous struggles of open source software sustainability, maintainer burnout, and how it impacts us.

Top 5 Reasons (and 5 Myths Debunked) to Invest in Securing the Software Supply Chain - Hector Linares, Microsoft

The recent Log4j vulnerability and NOBELIUM attack stress the importance of securing the software supply chain across the lifecycle: design, development, compilation, packaging, deployment, and maintenance. Executive Order 14028 mandates "significant investments" to help protect against malicious cyber threats and emphasizes a renewed focus on "enhancing software supply chain security," including compliance with the NIST Secure Software Development Framework (SSDF). To meet requirements of SSDF, we present a practitioner's guide for the journey ahead employing the Supply Chain Integrity Model (SCIM), an open-source model for managing data about the security, quality, and integrity of assets across end-to-end supply chains. We show how to maximize ROI in software supply chain security, enabling a trusted platform for the Software Development Lifecycle (SDLC) that extends to partners and customers.

Towards the Hardened Cloud-Native Cornerstone: Container Runtime Protection from Security to Privacy - Kailun Qin, Intel

Containers, the defacto Cloud-Native vehicles carrying complex workloads today, are yet facing increasing threats owing to their weaker threat model and isolation guarantees. The security concerns and mutual distrust over the inter-container relations spread from the network to the system level, even to the intra-container or against Cloud admins and infrastructure. In this talk, we'll start by reviewing attack vectors of the container runtime and revisiting the existing protection such as AppArmor, SELinux, seccomp and their limitations. Next, we’ll deep dive into the most recent advances of enabling kernel-aided (Landlock, Core Scheduling) and hardware-aided (Memory Protection Keys, Trusted Execution Environment) "magic" with containers against more advanced exploits. The adaptations required to the runtime and image specs of containers, also to their policy enforcement, debugging, monitoring, logging, and alerting management will be further discussed. Finally, we’ll share the "Now and next" and the real scenarios of the hardened two-way sandboxes for both security and privacy.

Using CNCF Best Practices for Software Supply Chain to Guide and Enhance Your Security Posture - Ryan Gibbons, 3m & Conor Rogers, Stelligent

In this presentation the 3M team will describe how CNCF best practices were used to inform requirements for secure software development capabilities throughout the 3M software supply chain and our journey to improve the code security posture. The team will describe how CNCF best practices were used to evangelize an improved security policy and inform Security, Legal, Risk and Delivery Management functions. Using the CNCF best practices the 3M team will tell the story of how these best practices were used to enhance policy, process, procedure and build across the Software Development Lifecycle. We will tell our story of Securing The Software Supply Chain with a particular emphasis on Opensource Components and we will share how our efforts to date have helped the organization to respond to and prepare for Supply Chain Attacks and vulnerabilities such as Log4J. Finally we will hope to help the community on accelerating their journey to the standards based SBOM (Software Bill Of Materials).

VEX! or... How to Reduce CVE Noise With One Simple Trick! - Frederick Kautz

CVEs are one of the most valuable tools for determining risk, but they have significant usability issues. Just because you are "vulnerable" to a CVE does not mean you are "affected" by the vulnerability. Small development teams can usually mitigate the risk by having a team member analyze the impact. However, this noise can overwhelm you if you're running a large-scale vulnerability management program with diverse vendors. The lack of context in a CVE directly impacts your capability to rank vulnerabilities and respond to them efficiently. Enter VEX, the Vulnerability-Exploitability eXchange. In this talk, we will cover what VEX is. We will cover how it integrates with SBOMs, and how it can become a critical capability of your Zero Trust infrastructure. If you're a consumer, you can use it to help determine the risk of a vulnerability and how to mitigate the vulnerability with computer-assisted tooling. If you're a vendor, you can use it to communicate actionable information to customers effectively.

Vanquishing Vulnerabilities in Valencia - Alba Ferri Fitó, Sysdig & Eric Smalling, Synk

The infamous Log4Shell vulnerability took us all by surprise right as we were preparing to take our end-of-year vacations! Will there be another massive vulnerability to deal with this year? It’s very possible, but you can be ready for it! Join us to learn how you can prepare your organization for the next critical CVE and make it harder for attackers to leverage it against you. From the developers’ shell to runtime in production, there are many tools and practices you can put in place today that can mitigate and detect would-be attackers and make their lives harder. Topics will include container image construction and scanning, policy enforcement, controlling network traffic, safer runtime configurations, and monitoring runtime behavior. This session will include live demonstrations of the log4shell remote code exploit and how effective the techniques presented can be against attacks on it.