Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Day in the Life of a Base Image: The Evolution of Vulnerabilities in the Most Popular Containers - Ayse Kaya, Slim.AI

While container scanning & security is becoming more widely adopted, it’s still not well-understood how these containers evolve over time from a security perspective. This includes understanding the long-term security posture of these containers, whether it is improving or declining as new vulnerabilities are discovered. This talk will take a first-time look at why handling vulnerabilities in containers is a really sticky problem to begin with, with known vulnerabilities requiring patching, as new vulnerabilities arise constantly, and many other vulnerabilities simply falling into a catchall bucket of "won't fix" . We'll show data visualizations of how the attack surface of two mega-popular public container images (Python, NodeJS) have changed over the past year, highlighting the problem developers and DevSecOps teams are facing. We'll demonstrate how some of the most popular vulnerability scanners show different results, sometimes to extreme degrees. But stick around to the very end, because on the upside, we'll wrap up with practical steps developers can take to stay on top of vulnerabilities and prevent their dev process from grinding to a halt.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Jeremy Colvin, Technical PMM, Uptycs

Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.

When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.

This 5-minute lightening session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:

Why developer laptops are often an entry point for attackers—now more than ever
How to gather real-time "device integrity" or security hygiene checks for zero-trust access
How to audit for malicious Chrome extensions or vulnerable software packages
How to tie together identity and GitHub activity on the laptop with CI/CD actions

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Know Your Dependencies: A Guide to Automating Dependency Assurance - Steve Judd, Jetstack

It is a truth universally acknowledged that almost every modern software component contains a selection of external dependencies whose provenance is unknown. Another truth is that no dependency should be trusted until proven trustworthy. This second truth, though, is often ignored by organisations and their engineering teams, who argue that assuring the trustworthiness of dependencies is too complex, too time-consuming and has a detrimental impact on development velocity. This talk will describe how Jetstack has worked with several clients in the financial services and defence sectors to help them develop dependency assurance mechanisms and processes that allow greater visibility and insight into the dependencies used and their impact on the clients’ risk and security postures. The audience will learn how modern tooling and practices can be used to create efficient, automated pipelines that audit dependencies for vulnerabilities and licence obligations, assess them against the organisation’s security policies and ultimately provide the ability to control which dependencies can be used and deployed within the organisation.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Securing K8s Pods from Within: A Runtime Approach - Rahul Arvind Jadhav, Accuknox Inc

For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Opening Remarks + CTF Overview - Andrew Martin, ControlPlane

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Panel Discussion: Securing the Golden Path: Adding Guardrails for Developers Without Getting in Their Way! - Moderated by Aradhna Chetal, TIAA; Elizabeth Vasquez Alban, Barclays; Kapil Bareja, Saviyant; Jim Bugwadia, Nirmata & Anil Karmel, RegScale

Is it possible to increase both agility and security? We all know that as organizations are increasingly driven to deliver faster, security often gets overlooked. So, how can organizations adopting cloud native best practices balance the growing complexity of securing modern applications against the ever increasing organizational drivers for speed? In this session, the panelists will discuss how security and operations teams can collaborate to provide developers with a “secure golden path” that promotes security best practices without compromising agility. The panel discussion will cover how the adoption of cloud native systems impacts security, the cloud native lifecycle, and highlight organizational best practices for adopting cloud native systems. The panelists will also provide practical tips and guidance on how cloud native systems can offer composable and programmable options for policy as code and continuous compliance across the software delivery pipeline to create automated guardrails for developers.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Beyond Proof of Concept: Keys to a Successful SPIRE Rollout in Production - Eli Nesterov, N/A

You might have heard about SPIFFE and SPIRE, or you've already read specifications and run your first proof of concept SPIRE deployment to provide your workloads X.509 or JWT SVIDs. Maybe you are planning to use SPIRE for advanced use-cases like federating with the cloud service provider IAM, third-party service, or for your hybrid deployment. Despite where you are on your journey, you most likely asked yourself a question: How do I run SPIRE in production? In this presentation, Eli Nesterov will discuss what it means to run SPIRE in production and how it differs from POC. We'll go through different stages, from the most common architecture patterns, deployment models, logging, and monitoring to security, availability, and performance topics. The talk is based on learning from multiple successful production deployments, the most commonly asked questions in SPIFFE/SPIRE Slack channels, and hours of video conference talks.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Building Images for the Secure Supply Chain - Adrian Mouat, Chainguard

Security scans getting you down? Users complaining they can't verify your images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don't know where to start? You're not alone -- all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover: - The distroless philosophy; why minimal images can save you from scan report purgatory - The importance of updating images and dependencies - Using apko to build container images with SBOMs and complete reproducibility - Signing images with Sigstore The best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn't have to mean hurting usability or productivity.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Closing: "And, That's a wrap!" - Marina Moore + Ragashree M C, Event Program Chairs & Andrew Martin + James Cleverley-Prance, CTF

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cloud Native Security for the Rest of Us - Tiffany Jernigan, VMware

Your mission is to secure the vast tracts of land of the Cloud Native security landscape. Where do you even start?!? It would be preposterous to cover that whole topic in a single session, but we can at least map it out. The plan is to break it down into three key areas and review each in turn. * Platform - securing and upgrading our control planes and nodes; isolating compute, storage, and network resources; managing privileges and secrets. * User management and permissions - various ways to authenticate and authorize user access; leveraging tools like RBAC and Namespaces, and some common "gotchas". * Software supply chain - what that means; some actual threat models are; how to mitigate them. You will leave this session with a stronger understanding of the breadth and depth of Cloud Native security and resources to further develop your knowledge.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Conan.Io – Lessons Learned from Securing 40,000 C++ Packages - Diego Rodriguez-Losada Gonzalez, JFrog

Supply chain security needs are at an all-time peak, since attackers are now massively targeting developers through their use of package repositories such as npm and PyPI. Conan.io, the open-source package manager for C and C++, currently houses more than 11 million binaries built by user-submitted recipes, but managed to have 0 security incidents since its inception, despite its extremely wide reception (15TB of monthly transfers). In this session, Diego (Conan's co-creator) will share how he and his team has managed this incredible feat by utilizing automated quality checks, compiler security mitigations, package signing, a secure build pipeline and an extremely strict and efficient review process, even when faced with more than 9000 pull requests in the last two years.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Fileless Attack - Detecting the Undetectable - Carolina Valencia, Aqua Security

A fileless attack is a technique that takes incremental steps toward gaining control of your environment while remaining undetected. In a fileless attack, the malware is directly loaded into memory and executed, evading common defenses and static scanning. Often, attackers may also use compression or encryption to cloak the malware file to avoid detection. Most commonly used against Windows, we have recently seen a growing trend in its use against Linux, and, more specifically, within containers. In this guide, we will break down a fileless attack by creating a fileless demo and detecting unexpected activity with eBPF tools in the Cloud Native Security Runtime Space: Falco, Tracee, and Tetragon.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Getting More Confident with Your Security Helper Libraries Thanks to Go Fuzzing - Jeremy Matos, Grafana Labs

Security helper libraries are often hard to unit test because they should make sure “bad” inputs are not considered valid, but how can we know we are not forgetting one kind of “bad” input? In cases where we don’t have an explicit definition of a good input, Go Fuzzing can be really helpful to gain confidence we are not missing some corner cases. Using a real-life example of a path traversal vulnerability in Grafana OSS, this talk will show how Go Fuzzing can be used to improve the test coverage of the corresponding security fix. Additionally, it will cover how this technique helped validate more complex security helpers and enabled us to detect some bypasses.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Hands-on Workshop: Batten Down the Hatches! A Cluster Security Journey - Steve Wade, KSOC Labs, Inc.

Your career is really taking off and you’ve finally landed that security engineer role at the company of your dreams. At your first daily standup meeting, the Chief Security Officer welcomes you aboard and gives you your first major project to lead which is aptly named, “Operation: Cluster Lockdown”. In this hands-on workshop, the instructors will dive into the methods used to perform a successful real world Kubernetes security audit. Attendees will learn through instructor-led scenarios how to perform cluster / workload inventory, rapidly assess the security posture of workloads, enforce least privilege for end-users and service accounts, and comply with established compliance standards. Each workshop attendee will be provided with a pre-configured public cloud environment running real-world Kubernetes workloads. The tools and methodologies covered in this workshop will give attendees the real world experience to perform a rapid Kubernetes security posture audit in their own organization’s clusters.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Hands-on Workshop: Network Policies - The Not-So-Hard Way - Raymond de Jong & Tracy Holmes, Isovalent

Many people avoid networking wherever possible because they think it is too complex and don’t even get them started on policy. In this session, we will help overcome these fears for both app developers and operations teams with network policies the not so hard way. In four easy steps we will: Introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security Discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections Use the Network Policy Editor to show how a Cilium Network Policy looks and what they do on a given Kubernetes cluster Walk through examples and demonstrate how application traffic can be observed with Hubble The audience will walk away with the ability to create network policies for their workloads so they can stop worrying and love the secure connections, and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi

OSS libraries can be used by anyone, but how does an enterprise secure what should, or more importantly, should not be used? The package/artifact managers are at best simple proxies, so security checking is mostly beyond them. Moreover, within enterprises, these tasks end up being manual. This talk will outline the additional checks that should/could be performed at ingestion and subsequently; continuous automated grooming of OSS artifacts. James will demonstrate the Continuous Secure Software Ingestion (CSSI) application, a policy driven system built on Tekton & Open Policy Agent (OPA), to perform continuous secure ingestion from any source, including Google AOS. He will also show the additional constraints that are placed on the downstream enterprise Software Composition Analysis (SCA) tooling to handle the data graph that this generates.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Introducing the OWASP Top Ten for Kubernetes - Jimmy Mesta, KSOC Labs, Inc.

The Open Web Application Security Project (OWASP) is a nonprofit organization focused on improving software security through community, open source, events, and more. Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes (https://owasp.org/www-project-kubernetes-top-ten/). This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how to get involved.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, Community Lead - StackRox

Isolating pods with Kubernetes network policies is a vital activity in securing the Kubernetes cluster. The technology has been around since 2017, and yet organizations often make very limited use of it, leaving workloads with over-privileged ingress and egress rights. Why is that? Well, identifying the right networking requirements of individual workloads is challenging to begin with, and operationalizing the task across Dev, Sec and Ops is not trivial. In this talk we will explain how open source technology helps development and security teams automate the process using machine generated Kubernetes network policies, along with human authored policies to govern them. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross this chasm.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Detecting Threats in GitHub with Falco - Loris Degioanni, Chief Technology Officer & Founder, Sysdig

Are your code repositories secure? Misconfigurations and attacks that target GitHub repositories are a serious source of risk, which many people underestimate. Learn what the most common issues with GitHub security are, and how to detect and prevent them with CNCF's Falco.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Vulnerability Data is Not Enough: The Case for an Actionable UI - Kara Yimoyines, Sr. Engineering Manager, VMware Tanzu

Data without the ability to act on CVEs adds little value to platform hygiene and productivity. As we recognize what we need to secure our software supply chain we understand that vulnerability data is not enough. Vulnerability data with inventory data - the form of a software bill of materials, is also not enough. Without the ability to automate remediation, understanding blast radius of your CVEs, while maintaining up-time and a golden path to production data is not helpful. Security analysts and platform engineers need a complete view that is tailored for their concerns so they can make sure remediation is done at the right level.

In this talk we’ll discuss considerations for a user interface that presents the right data to the right teams, empowers them to address any bugs or CVEs quickly, and a software bill of materials so they can make sure all the affected components and dependencies are remediated.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: OPAL: The Open Source GitOps Enabled Platform for Building Authorization - Asaf Cohen, Permit.io

Broken Access Control is the top vulnerability in the OWASP Top 10 security risk list. Proper configuration and enforcement of access control are critical to modern organizations, as privacy and compliance awareness are at their peak. Yet, building authorization or permissions management is a painful process for developers, due to complex and ever-evolving requirements and lack of knowledge for avoiding common pitfalls. OPAL (Open Policy Administration Layer) is an open-source administration layer for OPA (Open-Policy Agent). OPAL detects changes to both policy and policy data in real-time and pushes live updates to policy engines, making them real-time and event-driven. OPAL uses Git as the source-of-truth for policy, enabling GitOps workflows for policy delivery and versioning. OPAL is used by thousands of engineers, from Tesla, Zapier, Cisco, Accenture and others. In his talk, Asaf Cohen, co-maintainer and author of OPAL, will explain the challenges of managing modern authorization and access control and how these challenges can be solved by using open source tools like OPAL. In the end, he will provide use cases and tips for implementing simple and scalable authorization.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Panel Discussion: Say Hi to the New Couple in the Town – DockerSlim and Kyverno – Making Your Kubernetes Workloads More Secure! - Moderated by Mritunjay Sharma, Slim.AI; Shuting Zhao , Nirmata; Ruhika Bulani, D.Y. Patil College of Engineering, Aku

Want to minify your container image? Or let's go ahead; ever thought of automating the creation of your container's AppArmor and SecComp profiles? Okay, wait, let us surprise you even more; what if you get all the above and a way to administer their control in the K8s cluster! Yes, you heard it right, Unveiling to you the intersection of Kyverno and DockerSlim! This panel by Shuting, Ruhika, and Mritunjay will demonstrate how these two projects are making the lifecycle of the software supply chain more secure. Kyverno's policies leveraged with DockerSlim's combo of minified image and the auto-generated Seccomp profile will make your cluster security management just another YAML chore without you being a Linux syscalls expert!

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Policy-Based Governance for End-to-End Integrity Control of Policies - Yuji Watanabe, IBM Research & Jayashree Ramanathan, Red Hat

Open Cluster Management (OCM) is a CNCF sandbox project aimed at simplifying and streamlining multi-cluster and multi-cloud management of Kubernetes environments. OCM policy framework simplifies complex and time consuming processes to meet enterprise standards for security and regulatory compliance requirements. The integrity of policies is critical because any modification, maliciously or accidentally, can negatively impact your cluster. This talk describes how you can manage the integrity of the policy resources using the OCM policy framework. We will use manifest signing to protect the integrity of policies. To enable signing, secret values such as the signing key or some sort of access credentials managed on Vault are securely delivered to the signing pipeline by using the policy with a new function called templated secret. The secret values are embedded into the policy and delivered from the hub to the cluster in an encrypted form, and decrypted at the clusters. Admission control to enforce signature verification of policy resources at the cluster is also enabled by using the policy.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Pwning the CI (with GitHub Action Workflows) - Stephen Giguere, Bridgecrew

Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is to malicious subversives looking for the keys to the backdoor. In this talk we'll start with basic social engineering and progress to demostrating live some known potential abuses to GitHub Actions workflows in combination with an insecure GitHub configuration to show how alluring defaults and straight-up bad practices can leave our supply chain, wide open to attackers.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Secure CI/CD Using JSON Web Token (JWT) - Dov Hershkovitch, GitLab

DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing Access to Kubernetes Infrastructure with Kubernetes Zero Trust Principles - Mohan Atreya, Rafay Systems

As a Kubernetes footprint expands through a number of development and production clusters – spread across on-premises data centers, multiple public cloud providers, and edge locations – it shouldn’t be a surprise that complexity leads to challenges. When it comes to ensuring Kubernetes security and controlling access to clusters, limited standards and shared practices are creating a “wild west” scenario. Many organizations have multiple clusters in multiple locations—often running different distributions with different management interfaces—and teams of developers, operators, contractors, and partners who need varying levels of access. If your team is deploying Kubernetes in production, you have to do everything possible to ensure access security. In this presentation, we’ll review how to apply Kubernetes zero trust principles to enable controlled, audited cluster access for developers, SREs and automation systems to a Kubernetes infrastructure.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

See It to Believe It: Bringing Observability to Otherwise Opaque Container Builds - Parth Patel, Kusari & Shripad Nadgowda, Intel

Container build is arguably one of the most security sensitive operations in the whole application supply chain spectrum, which has largely remained opaque to date. It is typically implemented as a multi-stage process in the Continuous Integration (CI) pipeline that includes cloning the source code, resolving and downloading dependencies, compiling and packaging applications and finally publishing the built artifacts. To establish trust in the final built artifact, it is not sufficient to ensure security guarantees around just the built artifact, but it is critical to provide provenance and integrity assurance for every action in the pipeline that went into building that artifact. While tools, such as Tekton Chains, provide visibility into the steps that were performed and components that were used during the build process, we are still missing the lower level syscalls that were made. In this presentation, Parth and Shripad will present an open framework using tetragon to bring out-of-band runtime visibility and provide automated attestation for tekton based CI pipeline.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Source Attestations with Gitsign - Billy Lynch, Chainguard

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini, Sysdig

Container technologies rely on features like namespaces, cgroups, SecComp filters, and capabilities to isolate different services running on the same host. However, SPOILER ALERT: container isolation isn’t bulletproof. Similar to other security environments, isolation is followed by red-teamer questions such as, “How can I de-isolate from this?” Designed with the principle of least privilege in mind, capabilities provide a way to isolate containers, splitting the power of the root user into multiple units. However, having lots of capabilities introduces complexity and a consequent increase of excessively misconfigured permissions and container escape exploits, as we have seen in recently discovered CVEs. Fortunately using Falco, a CNCF container runtime security tool, it’s possible to monitor Linux capabilities, detect misconfigured containers, and proactively respond to secure environments. In this talk, we explain how you can use Falco to detect and monitor container escaping techniques based on capabilities. We walk through show real-world scenarios based on recent CVEs to show where Falco can help in detection and automatically respond to those behaviors

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Uncovering the History of Your Software Artifacts - Mikhail Swift, TestifySec

Discovering who, how, and where a software artifact was created is a daunting task. Archivist is an open source In-Toto attestation index and store, allowing you to uncover the history and establish trust of a software artifact. Archivist allows you to discover the attestations you need to satisfy your in-toto policies and ensure only trusted artifacts make it to production. In this talk we’ll use Witness (an In-Toto implementation) to create attestations about a build process of an attestation and store them in Archivist. Then we will create a Witness policy and enforce it while querying Archivist to discover relevant attestations to satisfy the policy.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Verifiable eBPF Traces for Supply Chain Artifacts with Witness and Tetragon - Cole Kennedy, TestifySec

Until now, validating the build environment and detecting tampered tooling in a build has been very difficult. This talk will show how Cillium Tetragon and Witness integration simplifies this process for developers and security engineers. Witness is a framework for supply chain security that implements the in-toto specification. It has a modular design, easily extendable for various attestors, backends, and key providers (including SPIFFE/SPIRE). This talk will show an attestation plugin that programs Cillum Tetragon to provide detailed eBPF traces of a build step. Additionally, we will create a build policy that verifies the trace and blocks the execution of workload compiled by a malicious compiler when the compiled workload is executed.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Welcome + Opening Remarks - Pratik Lotia, Cloud Native Security TAG

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Why Machines Deserve Rights: Rethinking Automated Infrastructure Access with OSS Teleport Machine ID - Kenneth DuMez, Teleport

This talk will focus on the problems of credentials for machines in modern
infrastructure and why it’s imperative you treat your bots the same way you treat
your humans. Typically when using automation for CI/CD or Microservices, teams
will have vaulted credentials shared between worker nodes. This introduces
challenges as these credentials are often long-lived, requiring frequent rotation,
introducing both toil and security threats. Open-source Teleport Machine ID mitigates
these problems by assigning a unique identity with attached RBAC roles baked into
unique, short-lived certificates enabling bot users to connect to remote hosts while
centrally audit-logging all of the machine’s activity. This identity-based access control
plane works seamlessly with all your cloud infrastructure including K8s clusters,
databases, and any other remote compute resource. The talk will include an
assessment of current legacy automated access solutions, an overview of Teleport,
a Machine ID demo, and an in-depth discussion of the technology behind it. With
open-source Teleport, managing and rotating shared credentials is a thing of the
past. Give the machines rights! Secure your infrastructure.