Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

"Keyless" Code Signing Without Fulcio - Nathan Smith, Chainguard

Sigstore's certificate authority Fulcio has popularized the idea of "keyless" signing. The keyless method makes signing hassle free by removing the need to manage private keys. Do you need to run Fulcio yourself if you want the same convenient signing flow, but you want your own trust root? No! In this talk, we'll walk through the what keyless signing really means and how to configure existing PKI solutions like Vault and stepca to use it.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

12 Essential Requirements for Policy Enforcement and Governance with OSCAL - Robert Ficcaglia, SunStone Secure, LLC

An effective policy framework provides governance capabilities to Kubernetes and cloud native applications. Policy-as-code artifacts provide visibility and drive remediation for various security and configuration aspects to help Developers and Operators meet their security and compliance requirements. Working with the Kubernetes Policy Workgroup, cloud providers and tool maintainers have signaled support for OSCAL. OSCAL is a NIST control assessment syntax and model framework providing a standard set of schema for control catalogs, customization and parameterization, assessment and reporting. Using OSCAL as a model schema for control definition, we discuss the specifics of policy enforcement and management in a multi-cluster, multi-cloud environment for seamless traceability across technical configuration, organization security standards and external regulatory compliance requirements. We break down 12 specific requirements and policy-as-code practices in a highly fluid multi-cluster operating environment. Join this hands-on, live demo session to understand the battle-tested use cases, architecture, and practical implementation details, and the deployment and operational levers for managing control implementation, policy generation and assessment, and compliance reporting.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

The Four Golden Signals of Security Observability - Duffie Cooley, Isovalent

Migrating to Kubernetes has exposed significant gaps in the security observability of running workloads. This gap in visibility not only provides a major advantage to sophisticated threat actors; it provides a serious disadvantage to cluster operators as well. Without security observability, an attacker can achieve and maintain a persistent foothold in your cluster - indefinitely and invisibly. Observability tools today collect metrics and event data, but how do we provide insights into threat detection, or to help create a least-privilege security policy for your workloads? We’ll answer these questions by introducing the "Four Golden Signals of Security Observability." These signals are essential to understanding your cloud-native environment's behavior and include: 1. Process Execution 2. Network Sockets 3. File Access, and 4. Layer 7 Network Identity Using eBPF, we can provide native visibility in the kernel for your workloads and remove the visibility gap that cluster operators are challenged with by collecting security observability data. This talk will also provide a walkthrough of each of the "Four Golden Signals" to detect a real-world attack in real-time using eBPF-based open source tools, such as Cilium's Hubble and Tetragon.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

A Sneak Peak Into Security Reviews with the Community - Ragashree MC, Carnegie Mellon University

In this talk, we explore the need for open source security reviews, how they are different from audits, and how they are used. We will share the TAG contributions with respect to the upcoming Security guide and provide a sneak peek into its contents. Finally, we also start the dialog on to get onboard and involve in the development of this guide

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

CNI or Service Mesh? Comparing Security Policies Across Providers - Rob Salmond, SuperOrbital & Christine Kim, Google

Up or down the network stack? Kernel space or userland? How about a side order of sidecars? Would you like eBPF with that? The Cilium project began life concerned about enforcing policies at the CNI level, while Linkerd2 and Istio provided policy enforcement by way of sidecar injection. Now Cilium and Linkerd2 have added support for Layer 7 policies, while Istio has introduced a sidecarless model that pushes some of their policy enforcement out of the pod and back onto the node. And everyone is adding a pinch of eBPF for good measure! This talk will briefly summarize these technologies, explore recent changes in popular cloud native networking solutions, compare their implementations, and highlight the trade offs.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

CSI Container: Can You DFIR It? - Alberto Pellitteri & Stefano Chierici, Sysdig

Digital Forensics and Incident Response (DFIR) capabilities are crucial to quickly containing the impact of an incident and preventing the cyberattack from becoming a cyber crisis. Indeed, when criminals get into your environment, it is crucial to adopt well defined DFIR techniques in order to minimize the incident impact. However, identifying and containing an incident was challenging enough in virtual machines, now with containerized applications becoming mainstream it is even more difficult. Following a brief introduction to DFIR, outlining its importance, a comparison between the traditional DFIR approach in on-premises infrastructures and the new way to be taken with containers will be presented. This will provide a better understanding of how needs and challenges have changed, particularly from the Kubernetes perspective. In addition, after a practical demonstration, the audience will get a clear picture of the best practices to adopt during the response phase - such as storing the evidence of a compromised pod remotely, highlighting and extracting the filesystem changes, and much more. To close out, it will be discussed how DFIR is evolving in Kubernetes, talking about the latest Kubernetes features and what capabilities they bring to forensics and incident response.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Container Factory for Aerospace & Defense Enterprises - Sarah Miller & Melissa Robertson, Collins Aerospace

Learn how Melissa and Sarah are developing a container factory that helps Collins Aerospace software teams meet the governance and compliance rules and regulations for building safety and security critical software. Melissa and Sarah will go over the challenges they are facing and how they are overcoming some when working with compliance auditors. Sarah will share how Collins is looking to move cybersecurity authorizations from a risk management focus to an active cyber defense focus. Melissa will share how she has integrated auto-document generation for compliance reviews and a vision to transition to virtual dashboards. Their goal is to remove hardships from Collins Aerospace developers created by institutional practices by rethinking how compliance is achieved in cloud native environments.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Container Patching: Making It Less Gross Than the Seattle Gum Wall - Greg Castle & Weston Panther, Google

A goal like “Production containers are patched within FedRAMP timelines” is a seemingly impossible task for many organizations. What containers do we have? Who owns them, and how can we get them patched that fast? We’ll talk about our patching strategy of “Prevent, Detect, Fix, Monitor”, discuss the opensource tools available to help in each of those steps, and share lessons learned from our customers and our own patching program. Prevention narrows the funnel: standardized images, slimming images, separating build deps, allowlisting registries, and container promotion policies all help. On detection we’ll cover discovery, recent vuln detection advances, and opportunities to reduce noise. Fixing is about automating ownership discovery, fix sequencing, and release process. Monitoring glues it all together: prioritize fixes and investigate gaps to meet your SLO.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Delivering Secure Healthcare Applications with OSS - Robert Wood, Centers for Medicare and Medicaid Services (CMS) & Gedd Johnson, Defense Unicorns

Every year the Centers for Medicare and Medicaid Services (CMS) spends thousands of engineering hours to ensure its hundreds of applications are compliant with healthcare-specific security controls. The vast majority of this work is redundant across app teams and the complexity is magnified due to a lack of standardization amongst deployment strategies and technology decisions. This talk will highlight the effectiveness of using exclusively OSS to build, deploy and accredit a secure, standardized K8s-based platform in regulated cloud environments at CMS. The presentation will cover OSS technical implementation, how it achieves security requirements and the culture change that is necessary to utilize open source effectively. The goal of this talk is to share, collaborate, and learn how open source software enables teams to deliver secure, OSS platforms in regulated environments.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Do This, Not That – Lessons from 7 Headline Grabbing Security Breaches - Maya Levine, Sysdig

What leads to a cloud security breach? Misconfigurations, exposed APIs, cryptojacking, and more. Attacker motivations haven’t changed much, but their methods have adapted to new technologies. As a defender, you must adapt too. In this talk, we walk through 7 examples of real cloud breaches, discuss what went wrong, why it was interesting, and what you can do to avoid ending up on such a list. Learn about the differences between cloud vs on-premise threats and breaches. What has changed? Are certain attack methods more prevalent, attractive, or easy to execute in the cloud? Why? What are the high-level cloud attack trends (and defenses) and how to cope? Each of the 7 breaches we discuss involve cloud infrastructure. We will highlight a particular attack pattern, response pattern, or other interesting element that can give insight into how to better protect ourselves in cloud environments. You won’t hear general, “lock your stuff down” guidance; each scenario will have a specific takeaway so you avoid a similar pitfall.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Good Fences Make Good Neighbors: Making Cross-Namespace References More Secure with ReferenceGrant - Nick Young, Isovalent

The Kubernetes security model is very reliant on namespacing for enclosing trust boundaries. But what happens when an resource or set of resources need to cross those trust boundaries? How can we be confident that both parties in cross-namespace communications agree to the relationship between objects? In the SIG-Network Gateway API subproject, we've found that this is a little tricky. The answer is that both parties have to agree. The owner of the resources in the target namespace has to agree to someone outside their control accessing their stuff, and the resource that wants to refer to that stuff has to explicitly ask. Come and learn about the solution the Gateway API subproject of SIG-Network has put in place, the ReferenceGrant resource, how it works, and how it can be used to ensure that a cross-namespace reference is agreed to by both parties. We've also used variants of the same approach in other parts of the Gateway API, and this talk will explain those as well. You will come away with some knowledge both of the ReferenceGrant resource, the history behind it, and how it fits into the Gateway API.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Handling JWTs: Understanding Common Pitfalls - Bruce MacDonald, InfraHQ

If you use JSON web tokens (JWTs) for authentication, handling them securely is your first and last line of defense. However properly using JWTs can be confusing. Even if you follow the specification you may still be vulnerable to some attacks. In this talk Bruce will give a friendly introduction to JWTs and how to work with them in your application. We will cover what is in a JWT, and how to make sure you can trust it. Once we understand the basics Bruce will demonstrate some common pitfalls in signature algorithm confusion and secret brute forcing. Finally, Bruce will cover JWT verification and security that will ensure you can trust your JWTs.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Journey to Cloud-Native, K8s and Trying to Secure It. - Graham E. Chukwumaobi, Independent

There are so many resources online about containers, Kubernetes, and Cloud security available to anyone who wants to know/learn about these technologies; this can be a good thing but can also be very confusing and chaotic, especially for people who are new to Cloud-Native and Open-source technologies/software. The first results returned by Google aren't usually the best for someone starting down their path in Cloud-Native Technology. It is even more challenging if you come from a very under-represented background in technology, where it is difficult to ask random people questions without feeling like a burden. This talk aims to guide newbies in their journey into Cloud-Native technologies such as Linux, containers, K8s, Iac, and securing clusters.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Back to the Future: Next-Generation Cloud Native Security - Matt Jarvis, Director of Developer Relations, Snyk

This talk will be a look into one possible future, taking into account multiple strands of emerging technology, and viewed through an almost certainly subjective lens of folks who’ve both been around through multiple technology iterations over the last decade or more and have the t-shirts and scars to prove it. We’ll probably be wrong, but we might get some things right, and we aim to at least be thought provoking. An eye on the future over the hill is always a good idea in our humble opinion, and thinking about those propositions can often engender change in the present !

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: It Takes a Community to Raise a Conference: From Security Day to CloudNativeSecurityCon - Emily Fox, Security Engineer, Apple

Our baby colo has grown up and ventured out on its own! How did this happen? They grow up so fast! In less than 4 years we’ve held 7 events in Europe and North America — reaching thousands of practitioners online and in person. All from a community member’s idea and the passionate volunteers that pulled together to make it real. Emily will share her experience coordinating Security Day - now grown into CloudNativeSecurityCon - and her aspirations for the future of this conference and cloud native security.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Panic in San Francisco: The Critical Vulnerability That Wasn't - Shane Lawrence, Staff Infrastructure Security Engineer, Shopify

In October, the OpenSSL team found a critical vulnerability in an open source library used by millions. They warned that they would disclose the bug and release patch a week later. Their early warning and quick resolution were commendable, but in the intervening days a flurry of speculation and concern set the blogosphere ablaze and Twitter atalking. On release day, some websites promising to report details of the vulnerability struggled to keep up with the traffic as herds of security specialists, developers, and sysadmins-turned-devops-turned-platform-engineers refreshed the page in anticipation. When details became available, many of us started to threat model the bug, evaluating how it might be used to harm our sytems. And most of us came to the same conclusion: it couldn't. The panic subsided, and the distraction arguably cost more than an exploit could have. In this talk, Shane will summarize the vulnerability and some of his team's efforts to prepare for and respond to it, then consider lessons learned from the experience. Attendees will hear suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats so they can be prepared for the next vulnerability, whether it turns out to be a major risk or none at all.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google

We've made a lot of progress in the realm of supply chain security in recent years! However, there is still much to do. A lot of efforts have been put into developing the "producing" aspects of the Software Supply Chain - SLSA, Tekton (and other build systems), Software Bill of Materials (SBOM). This has led to a much higher fidelity security metadata than we've ever seen. As we move forward, the "consuming" aspects of the Software Supply Chain will need to be developed.

Policy, Aggregation and Synthesis are key aspects of this side of the problem. We will share some ongoing open source effort to address them and highlight gaps within the space that need to be filled.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Learning from Supply Chain Failures and Best Practices in Other Industries - Demian Ginther, Superorbital, LLC

Supply chains are critical in many industries, but are only gaining attention as vitally important in the software industry in the past couple years. What can we learn from established supply chain best practices, and from the biggest failures in various industry supply chains? How can we apply that to our own work in securing our own critical infrastructure? In this talk we will discuss the evolution of supply chain processes in the physical world. We’ll explore what parts of physical supply chains apply to our work, how they have been implemented in those paradigms, what sorts of failures can and have occurred, and how we can utilize the lessons learned in our own software supply chain pipelines.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar-Hall & Jerod Heck, Lockheed Martin

Software Bill of Materials are being touted for tracking software build dependencies and security of a built application. Often delivered with built applications for transparency. In this talk we’ll explore a different use for Software Bill of Materials, where it is used as a packaging standard to validate and transfer assets across network boundaries. At Lockheed Martin, we’re using CycloneDX Specification to automate transfers into secure environments with strict controls to allow development teams to update build dependencies without network connectivity. We also use the CycloneDX Specification to create “seeding” deployments for Cloud Native infrastructure deployments. We’ll be demoing Hoppr, an open source tool with an extendable plugin architecture to do security validation and multi team transfers. It used CycloneDX SBOMs to collect items based on purls, run validation, and create transfers to be brought into these environments.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections - David Wolf & Joshua Smith, Devo

We analyzed more than 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. Our analysis set out to answer the question, where are enterprises investing in cloud controls, and where are the control weak points? Next, we applied the MITRE ATT&CK Cloud framework as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. By applying a novel approach to the verb and noun relationships of cloud infrastructure and workspaces, we were able to map attacker motives to actionable control stories in an approach that can be applied with any SIEM or big data solution powering the modern security operations center (SOC). Join us for a practical journey in learning how to strengthen the multi-cloud SOC, with lessons learned and actionable insights from a cloud detections engineering team.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Modifying the Immutable: Attaching Artifacts to OCI Images - Brandon Mitchell, BoxBoat, an IBM Company

Images are now being pushed to OCI registries with more and more metadata, including attestations, signatures, and SBOMs. What is involved with adding your own artifacts? This talk walks through how OCI recently standardized the process, and describes how additional data can be added to an image without modifying its immutable digest. You'll learn how tooling can ship SBOMs along side images, both for the vendor generating the SBOM and the user searching for it. And this talk will cover many of the gotchas you may encounter when implementing this yourself.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore - Zachary Newman, Chainguard, Inc. & Marina Moore, New York University

It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from evil@hacker.com the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

SBOMs, VEX, and Kubernetes - Kiran Kamity, Deepfactor; Jonathan Meadows, Citi; Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency; Andrew Martin, Control Plane; Rose Judge, VMware

Software supply chain security is rapidly becoming critical to overall security. Softwarew Bill of Materials (SBOMs) formats are standardizing around CycloneDX, SPDX, etc. VEX (vulnerability exploitability exchange) is emerging as a standardized companion to SBOMs to help determine whether a vulnerability is exploitable. For Kubernetes app developers, how do we address the supply chain problem? This panel discusses the practical and operational aspects of gathering, using, and handling SBOMs for containers: both running on Kubernetes and the underlying images that comprise Kubernetes itself. We will cover use cases from open source projects, through vendors and cloud providers, to the use of SBOMs in highly regulated environments including financial services and critical national infrastructure. Panelists include experts and practitioners with deep expertise in SBOMs, VEX, supply chain security, and cloud native application security.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing the Superpowers: Who Loaded That EBPF Program? - John Fastabend & Natalia Reka Ivanko, Isovalent

eBPF has become an increasingly popular technology to build all sort of tools from networking CNIs to security tools. eBPF has the ability to inspect nearly any kernel data structure and modify networking packets and even user space data in some configurations. It has recently become cross platform with a Windows run-time and is now widely available on most Linux distributions and cloud platforms. It even has users at Blackhat (BlackHat USA 2021: With Friends Like eBPF, Who Needs Enemies?) and Defcon creating potential malicious uses for eBPF. Precisely because it is so powerful it is incredibly useful, but it raises the question who is watching eBPF. The Linux kernel community has been building a solution to securely monitor and enforce who can load eBPF programs and what kind of programs are allowed to be loaded on any given system. In this talk we discuss a design for eBPF auditing and security and use Tetragon's (an open source eBPF based security tool) to show an implementation. This will show security teams how to restrict what gets loaded on a Linux system and who is allowed to use it. As well as how to create an audit log and time series database so we can go back in time to discover the who did what, when type of questions that can not be answered today.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security That Enables: Breaking Down Security Silos in the DevOps Ecosystem - Saurabh Wadhwa, Uptycs

This talk addresses two core themes: First, the rise in attackers targeting developers and container image repositories to access pre-production resources. Second, good security should enable DevOps teams to better perform their role, secure builds, and remove the stigma that security = roadblocks. First, we break down how traditional CI/CD workflows are siloed from a security tooling perspective. Siloed security tools create gaps when developer ecosystems are targeted, as it’s difficult to trace attackers across environments. Monitoring a developer’s laptop may be completely isolated from the security data from registry scanning, which in turn may be completely isolated from monitoring runtime services. Second, a walkthrough breaking down the step-by-step flow of the recent Dropbox breach where attackers targeted developers and ultimately stole 130 GitHub repositories. This will be a deep dive into how the attackers targeted developers by impersonating CircleCI, with the ultimate goal of stealing GitHub repos and accessing backend infrastructure. And third, we end with a more positive look at how the right security controls (zero-trust access and registry scanning) in the CI/CD process enable developer teams to better perform their roles and more confidently deploy builds.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security Threat Modeling Live from Scratch Session - Andrew Martin, Control Plane

What does a threat model look like? How do you go about doing one? At TAG Security, we’ve developed a lightweight threat model to let projects easily go through the exercise of modeling their project. In this session, we will have a hands-on exercise and create a threat model for the CNCF project using the lightweight model we’ve developed!

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security++: Hide Your Secrets via a Distributed Hardware Security Module - Iris Ding & Malini Bhandaru, Intel

Cloud hardware security module (HSM) provides cloud-based services to host encryption keys and perform cryptographic operations inside HSM. It can improve the security level of your services. However, it also brings performance challenges for users since cryptographic operations are handled remotely in HSM. Distributed HSM is a solution that satisfies both security and performance requirements. It provides both remote and local HSMs for users and can be hosted on Cloud, on-premise and on edge. Cryptographic operations can even be performed in the same node with the service. In this talk we walk you through how distributed HSM works and showcase some typical user cases.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Self Healing GitOps: Continuous, Secure GitOps Using Argo CD, Helm and OPA - Upkar Lidder , Tenable

Argo CD empowers the community to adopt GitOps for K8s. Argo CD triggers automated operations for cluster reconciliation by monitoring changes in git for images and artifacts such as Helm Charts. While Argo CD enables hyper-automation for cluster deployment, how can teams ensure they aren't slowed down by requirements such as security, privacy, and compliance? In this talk, Upkar Lidder will discuss how to leverage the power of the Open Policy Agent to automate the delivery of secure, compliant deployments. Argo CD with OPA can ensure that any Helm charts and container images to be deployed are compliant with the established policies. Upkar will also demonstrate a new approach of self-healing GitOps to the community which leverages OPA's Rego language to remediate risks and violations on the fly.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sharing Security Secrets: How to Encourage Security Advocates - Cailyn Edwards, Shopify

The cloud can be a big scary place, and with malicious actors around every corner it’s important that security teams have the power they need to keep data safe, and services available. Although it can feel like we are alone in our mission, and sometimes security practices are seen as burdensome - it doesn’t have to be that way! If we can take the time and make the effort to share our security secrets, introduce teams to Alice and Bob and encourage a healthy amount of suspicion; we can create a company-wide culture that cares about security. We can’t be everywhere at once - so having others looking out for security risks in their work is invaluable. In this talk Cailyn and Ann will talk about their successes in educating non-security teams, and enlisting security advocates across Shopify. They will dive into some of the methods that were well received and talk about efforts that were not as successful. Cailyn will also talk about the new security review strategy that her team launched this year. You will walk away from this session with information and ideas on how to start a security advocates program in your organization.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Solving Multi-Service Without a Service Mesh - Evan Anderson, VMware

Kubernetes is famously a “platform for building platforms”. In this talk, we will un-pack the primitives Kubernetes provides for enabling microservices to securely communicate with each other without relying on a service mesh. Together, we’ll explore how technologies like NetworkPolicy, token projection, API gateways, cert-manager, and language runtimes play poorly or nicely together. We’ll cover authentication options, encryption, rate limiting, multi-tenant infrastructur eservices, and the interplay between L4 and L7 features with an eye on compliance as well developer ease of use. Drawing on his experience as Knative Security Working Group lead and background solving application runtime challenges on Kubernetes, Evan will teach participants about how to build without a service mesh, as well as a deeper understanding of the value that service meshes provide.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Spicing up Container Image Security with SLSA & GUAC - Ian Lewis, Google

Understanding and verifying the content of images that you deploy in production environments is difficult and error prone. Images could be built in an insecure environment, by a malicious actor, or include dependencies that are insecure. Users often don't have enough information to determine if images are trustworthy. Two new tools can help; Supply chain Levels for Software Artifacts (SLSA), and Graph for Understanding Artifact Composition (GUAC). In this talk attendees will learn how to add SLSA provenance metadata to their container images and strongly link images back to their source code on multiple build systems including GitHub Actions and Google Cloud Build. We will also cover how to verify images and their metadata before use; both when running locally and when running images in Kubernetes. Using policy engines like Kyverno and Sigstore policy-controller we can verify an image's source code repository, builder identity, build entry points, and more to protect production environments from malicious images. Finally we'll discuss how to understand your image's supply chain using GUAC. We'll discuss how we can combine SLSA with GUAC to better understand the contents and build provenance of your images from the base layers on down.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Kubernetes is the Perfect Platform for Enforcing Zero Trust Security - Fei Huang, VP Security Product Strategy, SUSE

Zero Trust security is a hot topic these days, in more than just cloud native deployments. But with most new applications and infrastructure development being done with cloud native tools and infrastructure, zero trust is the single most critical security strategy that should be employed to secure Kubernetes environments.

In this talk, Fei Huang, VP of Security Strategy at SUSE and co-founder of NeuVector, talks about what is a zero trust strategy built around cloud native, and where zero trust protections can be enforced with examples from the ecosystem.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: OpenClarity: A Community-Led Approach to Cloud-Native Application Security - Sarabjeet Chugh, Senior Director, Global Head of Product-Led Growth, Cisco

The complexity and distributed nature of modern apps have increased the number of attack vectors. As more mission critical workloads move to cloud native architectures, there is an urgent need to protect new attack surfaces that arise. Yet, there is no single commercial tool that can comprehensively secure cloud native apps. Developers need flexible and extensible tools that are cloud native, and not a bolt on from the legacy world. And because no one knows more about what developers need than developers, it makes sense to come together as a community to create tools that developers love. Security for developers by developers. That’s what the OpenClarity suite of OSS offers - a comprehensive solution to cloud native security. Come hear all about how Cisco is leading the charge on community-powered innovation in cloud native security, AI/ML, API security, observability, network automation, and more.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Trust and Risk in the Software Supply Chain - Emmy Eide, Director, Product Security, Red Hat

Building a trusted software supply chain that minimizes risk starts at the very beginning of the development process and continues through the application life cycle. Administering security tests at the end of the development and production cycle or patching running applications is counterproductive to how cloud-native applications are built and secured. Just as automation is key for cloud native development, it’s also critical for cloud native software supply chain security.
In this talk, we will explore balancing trust and risk throughout the entire supply chain using open source projects. We will look at why trusted supply chains are necessary, what it means to reduce risk continuously, and how Red Hat is building trust in its own software supply chain using open source technologies.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

TAG Security Cloud Native Security Whitepapers Overview - Shlomo Zalman Heigh, CyberArk

There are many aspects of Cloud Native Security, and it can be daunting to approach. To help security practitioners understand cloud native security, TAG security has published multiple whitepapers and reference architectures to help provide context on securing cloud native infrastructure. In this talk, we will go through what’s out there and coming up, including the Cloud Native Security Whitepaper, Supply Chain Security best practices and reference architecture, Zero Knowledge whitepaper as well as the Cloud Native Security Controls mapping. We hope that this session will lighten the pathways into cloud native security for all

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Taming Attestation for the Cloud Native World with Parsec - Paul Howard, Arm

As compute continues to move to the edge, there is an increasing need for compute nodes that are outside of the managed cloud to authenticate and communicate securely with cloud services. The need to achieve this across a diverse ecosystem of devices creates a bewildering problem for the industry. Hardware-backed security is a must when devices are in tamper-prone environments. Parsec, in the CNCF sandbox, has tamed the problem of managing keys and secrets in these various devices, creating the convenient and portable interface to a strong, hardware-backed device identity. But a key isn't always enough. Sometimes there is a need also to prove that the key was created within the device, and that the device itself is composed of an approved combination of hardware, firmware and software, booted to a known-good configuration. This is commonly known as attestation. But attestation brings its own set of portability challenges, with platform-specific APIs, flows and data formats. The advent of confidential computing adds an extra dimension of complexity as well. In this talk, you will learn how Parsec is now primed to create the portable, cloud-native approach to attestation on any platform for a variety of use cases, including secure channel bootstrap with enhanced TLS handshakes.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Tutorial: Hands-on Hacking Kubernetes and Ways to Prevent It - Eric Smalling, Snyk

Vulnerability exploits too often seem like empty threats that our security teams warn us about but not something that would ever happen to my code! Join me in this hands-on workshop where we will walk through a remote code execution exploit and then talk about the steps you can employ that would mitigate the attack. If you want to participate in the hands-on hacking, a container runtime environment pre-installed on your laptop is encouraged. (i.e. Docker Desktop)

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

When SysAdmins Quit: Protecting Kubernetes Clusters When the Owner of Multiple Admin KUBECONFIGs Quits - Arun Krishnakumar, VMware

Suppose there is a sysadmin who owns a few dozen Kubernetes Clusters. They have access to the VMs of the cluster. They also naturally have access to the admin KUBECONFIG files to each of the clusters. Suppose they quit and make a copy of these KUBECONFIG files. If the api-server of any of the clusters is accessible, there is a serious problem. Suppose there is a non-admin KUBECONFIG user and suppose they quit or change teams. We have a similar requirement of removing access to the cluster for that user as well. These are real world problems that are faced by customers who want us to provide guidance and best practices in this matter. Ideally we would like to revoke access to these users with minimal interruption to the cluster. In this talk we will discuss the problem of revoking access to clusters in general at both the admin level, and at the user level. This will include removal of access to resources of interest and the parts of the certificate chain-of-trust that need to be changed. We will discuss how our customers can make use of these schemes and cleanly remove users from the cluster. We will also discuss pre-requisites for setting up a cluster that is amenable to the solution, general gaps in our current implementation and in the general Kubernetes ecosystem as well.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Zero Trust in the Cloud with WebAssembly and WasmCloud - Kevin Hoffman, Cosmonic

Securing code running in the cloud has been a difficult problem to solve since before we called it "the cloud". With the advent of WebAssembly, we can leverage the intrinsic security and sandbox isolation offered by WebAssembly modules. Then we can layer on top cryptographic signatures and the verifiable capability model from wasmCloud to deploy secure, untrusted code and have total confidence in the security of applications built this way. In this session, we'll take a look at how WebAssembly itself adds multiple levels of security to traditional cloud computing with containers and microservices. Then we'll cover demonstrations of multiple levels of security enabled by wasmCloud.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Avoiding IAC Potholes with Policy + Cloud Controllers - Andrew Martin, ControlPlane

In large organisations, enabling and securing self-serve cloud infrastructure for teams hosting their applications on Kubernetes is hard. Most large organisations implement Enterprise Security Architectures featuring IAC pipelines with Policy as Code frameworks at the outset of their cloud journey, which are found to be not fit for purpose when teams use Kubernetes to provision infrastructure either natively, through services of type Loadbalancer, or using hosted cloud controllers such as Crossplane. In this talk, Rowan will demonstrate how infrastructure and security teams can use policy engines (Kyverno) to secure a model that uses Kubernetes native and hosted cloud controllers (such as Crossplane) to provision infrastructure. This model enables application teams to self-serve, whilst preventing the launch of insecure infrastructure and enforcing compliance and security requirements centrally. To ease adoption of the model, Rowan will open source an example library of policies integrated with OSCAL for commonly used services across AWS, enforcing controls aligned with NIST800-53 in a manner that can be audited by compliance teams, and simplifying the developer experience by enabling the dynamic generation of cloud resources with secure defaults.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Beyond Cluster-Admin: Getting Started with Kubernetes Users and Permissions - Tiffany Jernigan, VMware

We've all done it: working on our Kubernetes clusters with "cluster-admin" access, the infamous equivalent of "root". It makes sense when we're just getting started and learning about Pods, Deployments, and Services and we're the only one accessing the clusters anyway; but soon enough, we have entire teams of devs and ops and CI/CD pipelines that require access to our precious clusters and namespaces. Are we going to YOLO and give them our admin certificate, token, or whatever else we use to authenticate? Hopefully not! In this talk, we're going to look at how to implement users and permissions on a new Kubernetes cluster. First, we'll review various ways to provision users, including certificates and tokens. We'll see examples showing how to provision users in both managed and self-hosted clusters, since the strategies tend to differ significantly. Then, we'll see how to leverage RBAC to give fine-grained permissions to these users. We'll put emphasis on repeatability, seeing each time how to script and/or generate YAML manifests to automate these tasks.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cloud Native Security 101: Building Blocks, Patterns and Best Practices - Rafik Harabi, Sysdig

Moving applications to the cloud promises agility, innovation and better time to market. On the other hand, securing cloud native applications is a multidimensional challenge involving different teams, workflows and different infrastructure application layers. You may be disrupted by new acronyms such as: CWPP, CSPM, KSPM, ... In this talk, we will explain those acronyms and dive into the foundation of cloud native security by discovering the different attack vectors and areas to protect. Then, we will expose common patterns, workflows and best practices to implement a continuous security practice to keep innovating without sacrificing security. Throughout the talk, we will detail the different teams/personas involved during the lifecycle of a cloud native application and the workflow to implement so they can work in tandem to deliver the best class security platform. This talk will be focusing on patterns and best practices with few tools mentioned.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cloud Native Security Landscape: Myths, Dragons, and Real Talk - Edd Wilder-James & Loris Degioanni, Sysdig; Kim Lewandowski, Chainguard; Isaac Hepworth, Google; Randall Degges, Snyk

The open source security landscape is moving fast, and affects you at all parts of the software lifecycle, from creating open source, to consuming it, to remedying vulnerabilities and detecting threats at runtime. The sheer number of moving parts represents great progress, but challenging when it comes to knowing what to prioritize. Do you like GUAC with your SLSA? Are you equipped to handle the latest OSS vulnerabilities? This panel will discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include * From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about? * It's about the people, naturally: we're being told to "shift left" security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works? * What is real, what is myth? The field is full of hot takes, from grand ideas that won't take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cryptographic Agility: Preparing Modern Apps for Quantum Safety and Beyond - Natalie Fisher, VMware

In 2012, the vulnerability, HeartBleed, was discovered then patched in 2014. But because organizations were slow to respond hackers managed to steal 4.5 million healthcare records. In 2019 over 200,000 systems were still unpatched. Why is it difficult to change or update these protocols? IT organizations are not aware of the encryption they are using, which applications are using it, or how it is used and customers have no unified way to transition between cryptography standards, libraries, and manage cryptographic configuration and compliance. Recent advances in quantum computing and global government initiatives have prompted a new sense of urgency in migrating public key cryptography to quantum-safe standards. Modern and legacy apps will benefit from crypto agility schemes leveraging proxies, policy-driven configuration, and orchestrated management. The session will help to prepare enterprises of every size for the cryptographic migration to come -- no matter where your apps are deployed.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Demystifying Zero-Trust for Cloud Native Technologies - Kishore Nadendla, TIAA; Mariusz SABATH, IBM Research; Asad Faizi, Eskala.io; Aradhna Chetal, CNCF Security TAG; Philip Griffiths, NetFoundry

A Cloud-native platform empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, distributed applications and services, and supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud-native network environments combined with the rapidly escalating and becoming nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. Adopting the Zero-Trust Methodology for cloud-native applications must be incorporated and aligned as part of the Cloud Native Maturity model. This panel discussion will focus on “Zero-Trust Principles, Concepts and implementation approach for cloud-native applications” for the organization's assets 1) User, 2) Devices, 3) Networking, 4) applications, 5) Data for the following Zero Trust building blocks and to provide implementation guidelines. 1. Identity - Device and Human 2. Policy - Administration and Enforcement 3. Continuous Assessments - Evaluations and Monitoring 4. Always secure

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Finding the Needles in a Haystack: Identifying Suspicious Behaviors with eBPF - Jeremy Cowan & Wasiq Muhammad, Amazon Web Services

As the popularity of Kubernetes has grown, so has its appeal as a target. In an increasingly hostile environment, the ability to quickly flag suspicious behaviors and investigate and identify their source is becoming crucial. In this talk you will learn how AWS is using eBPF to identify a variety of security risks, e.g. communication with known command and control systems, Tor clients, cryptocurrency miners, and other malicious activity. You will also hear why AWS put eBPF above other options and the lessons they learned along the way.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

From Illuminating to Eliminating Crypto Jacking Techniques in Cloud Native - Mor Weinberger, Aqua Security

Ever since cryptomining had emerged as a novel promising digital currency technology, its evil twin cryptojacking has gained popularity and become a major type of attack. Threat actors consider this attack as a low hanging fruit which allows them to easily cash out their attack, since one can easily convert compute power into digital coins. Moreover, defenders often mistakenly perceive this attack as a noisiness rather than an attack that allows to freely run remote code on your server. At first threat actors deployed cryptominers on unpatched servers and targeted browsers. Today attackers focus on the cloud native, including exploiting containers, Kubernetes, CI/CD and SCM platforms. In this Talk, we’ll explore the key concepts and techniques related to the evolvement of cryptomining and also explain on how to proactively protect your environment with open-source tools and approaches that will help you strengthen your security starting from static analysis and up to runtime protection. Below are some of the topics we shell include:

Reviewing of attacks, techniques & exploits.
The main challenges threat actors face and overcome, how they maximize their gain and conceal their attacks
Finally, we will present measures to mitigate and strengthen your environments

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

From the Cluster to the Cloud: Lateral Movements in Kubernetes - Yossi Weizman & Ram Pliskin, Microsoft

As K8s clusters usually reside in the cloud, access to a container in the cluster can be a foothold to the entire cloud workload. In this session, we’ll present novel techniques used in recent real-world attacks which allowed adversaries to move laterally from a container in a K8s cluster to external cloud resources. We'll start with inner-cluster lateral movement: We'll talk about K8s RBAC configurations that unexpectedly allowed inner-cluster lateral movement and were the root-cause of vulnerabilities in containerized apps. We'll discuss how one can identify such activities by native K8s tools. We'll continue to cluster-to-cloud lateral movement. The key concept in this area is cluster-to-cloud authentication. We'll introduce the various authentication methods used by the major cloud providers: Azure, AWS and GCP. All of the methods fall into one of these 3 buckets: Direct\modified access to IMDS, using K8s as an OIDC identity provider or storing credentials on the underlying nodes. Every authentication method comes with its default configuration, many of those unknowingly grant excessive permissions. We'll present real-world recent incidents of cloud environment takeovers which originated in K8s clusters. We'll explain how users can prevent and detect such activities.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Get Your Security Priorities Straight! How to Identify Workloads Under Real Threat with Context - Ben Hirschberg, ARMO & Arie Haenel, Intel

Is a privileged container a security threat? Should you spend time defining a pod so it can run with a read-only filesystem? These and similar questions are raised constantly by multiple authors and projects. In most cases, there is a good reason behind these questions. However, the difference between a potential threat and a real one is far from self-explanatory and highly depends on the circumstances to differentiate between real threats. This is where the answer lies and we are presenting a security prioritization system for Kubernetes workloads that is based on the MITRE framework and its categorization. This system is built upon data aggregated from a high volume of security controls, that cover multiple projects, structured in a way that makes it easy to find contextual information about different problems. We are going to present the algorithm behind the prioritization engine which is able to calculate the security exposures score for a diversity of Kubernetes workloads. We will then review the results based on real production clusters, and how they fair against real security analysis, enabling anyone to differentiate between actual threats that should be mitigated quickly and those we can be less concerned about.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

How Do You Trust Your Open Source Software? - Naveen Srinivasan, Endor Labs & Brian Russell, Google

Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF https://github.com/ossf Scorecard https://securityscorecards.dev. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

How to Secure Your Supply Chain at Scale - Hemil Kadakia & Yonghe Zhao, Yahoo

In this session we will present a high-level system that protects against attacks — like unauthorized access, exploiting known vulnerabilities, injecting malicious software — by integrating open source tools such as Grafeas, Sigstore, Screwdriver, Kyverno & Anchore. In short, providing a unified solution for securing various aspects of the software supply chain. As one of the top ten visited websites on the Internet, Yahoo's massive scale across hybrid cloud and mobile platforms makes the security of our brands paramount — especially in today's evolving software supply chain landscape. This talk will deep dive into our primary use cases of source code scanning, security misconfiguration detection, vulnerability management, and protecting K8s deployments using dynamic policies. Attendees will leave with a framework for successfully managing the same tools Yahoo uses to simplify the developer experience.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Identity Based Segmentation for a ZTA - Zack Butcher, Tetrate & Ramaswamy Chandramouli, National Institute of Standards and Technology

Zero Trust is all about replacing implicit trust based on the network -- traditional perimeter security and an "access is authorization" model -- with explicit trust based on identity and runtime authorization. This means applications must authenticate and authorize service communicate in addition to end users. This gives rise to patterns like identity aware proxies and the service mesh for enforcing access. We'll discuss a quick-and-easy definition for a what a "zero trust architecture" is and discuss how a common use case -- application communication from cloud to prem through a DMZ -- can be simplified with identity aware proxies (and policy!), leading to organizational agility.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Improving Secure Pod-to-Pod Communication Within Kubernetes Using Trust Bundles - Thomas Edward Hahn, TCB Technologies, Inc & Mark Hahn, Qualys

New features are being added to Kubernetes which allow for roots of trust to be specified for applications on a cluster. These mechanisms are being added as “trust bundles” (or trust anchor sets). We demonstrate the updates to our previous work in creating convenient mechanisms to provide certificates to every pod, allow pods access to them and use them for mutual authentication. Our work leverages work being done by the cert-manager project, the SPIFFE project and KEP-3257 for trust anchor sets to automate the creation of TLS certificates for every pod and establish patterns for mTLS. Finally, we compare and contrast this to current methods for providing cluster communication security (service meshes) and present areas for refinement. This is a significant rework of our previous presentation and software to work with changes to the Kubernetes Ecosystem as the concepts have been refined and evolved.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Fighting The Next War - Future Threats to OSS and Software Supply Chain Security - Brian Behlendorf, Managing Director, Open Source Security Foundation

Buffer overflows, typo-squatting, leaked credentials - many of the biggest problems in securing software today are the same greatest-hits since the 1990s. More or less once a year we see a novel kind of security attack, taking advantage of some new centralized service, a weakness we incorrectly assumed could not be exploited, or a new IT advancement that changes everything. As a keynote speech given at a 2023 Q1 conference, we are now legally required to mention ChatGPT, but ignoring the hype, the prospect of AI enabling uncanny spearfishing or automating mass pull requests with backdoors seems much less sci-fi today than it would have a year ago. What other new kinds of attacks could emerge, and what should OSS projects do to prepare?

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Learn by Hacking: How to Run a 2,500 Node Kubernetes CTF - Andrew Martin, CEO, ControlPlane & Andrés Vega, VP of Operations, ControlPlane

TAG Security has run a CTF at Cloud Native Security events since 2020, but with a twist: instead of dastardly black hat hackers duelling for the title of Ultimate Kuberninja, we’ve focused on helping everybody to hack, teaching approachable security principles to increase the industry’s level of cloud native security expertise in novel and engaging ways. In this talk, Andrés and Andy detail their learnings, techniques, and often last-minute fixes needed to run Kubernetes CTFs with thousands of nodes, hundreds of cloud native hackers, and buckets of coffee. During these distributed orchestration challenges the events have seen servers burned, scenarios shredded, and authentication bypassed in all sorts of nefarious ways by the willing and able players of the game. In this talk we detail our experience and discuss: - How to build a tumultuous and exciting CTF challenge - Why hands-on practice is the best way to ingrain security concepts - When automating a chaotic cluster pipeline doesn't scale - Why points don’t always win prizes - And how sharing knowledge helps us grow together

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Picture this! Solving Security Problems Visually with eBPF - Liz Rice, Chief Open Source Officer, Isovalent

eBPF is a wonderful platform for the next generation of security tools, but there can be a big gap between detailed events at the kernel level, and meaningful, understandable information that security and platform teams can act on. Let’s look at some of examples of graphs and visualizations that aggregate information collected through eBPF, that can help us answer security-relevant questions much more easily than wading through logs.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Welcome + Opening Remarks - Priyanka Sharma, Executive Director, Cloud Native Computing Foundation

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Let’s Talk Software Supply Chains with TAG Security - Michael Lieberman, Kusari

The supply chain security working group has been working to provide guidance and resources for projects looking to improve their supply chain security. In this talk, we will discuss the outputs of this working group, including the Software Supply Chain Security Whitepaper, catalog of supply chain compromises, and our reference architecture for a secure supply chain. We will also discuss our recent survey about supply chain security, and have interactive discussions about next steps for this working group. Bring your questions and ideas about supply chain security!

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Cloud(Security)Events -- A Lightweight Framework for Security Reactions - Evan Anderson, VMware

With many different sources of security information, making sense of it all can be daunting. CloudEvents is a lightweight standard for recording and routing event information of all types which is easy to extend and supported by a variety of existing tools. In this presentation, Evan will illustrate how CloudEvents can help tie many different security tools together, from proactive supply chain vulnerability notifications to real-time monitoring and reactive data collection. In less than 5 minutes, we’ll show how CloudEvents is useful as a storage format, a data interchange, and as a mechanism for triggering serverless functions to drive remediation of detected issues. In the end, you’ll discover that CloudEvents is not difficult or mysterious, but a helpful tool in the security toolbox for cloud-native practitioners.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

More Than Just a Pretty Penny! Why You Need Cybersecurity in Your Culture - Callan Andreacchi & Michaela Flatau, Defense Unicorns

Data breaches, ransomware, and spear phishing, oh my! When cybersecurity attacks aren’t addressed properly, it can result in a loss of trust between companies and their customers. This can have a negative impact on the brand, revenue, and even customer loyalty. Humans will always be a part of cybersecurity and humans are bound to make mistakes. It’s not enough to educate your employees, you must empower your employees to not only identify social engineering tactics, but also admit and own their mistakes. When employees feel a personal connection to the company’s cybersecurity, the likelihood of a cyberattack decreases. Join Callan and Michaela to learn about how to integrate cybersecurity into the very fabric of your workplace culture, leading to identifying potential risks faster and in turn, resolving those risks quickly.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Network Security at Scale: L3 Through L7 at Splunk - Mitch Connors, Aviatrix & Bernard Van De Walle, Splunk

What does it take to securely connect dozens of clusters across multiple cloud providers at Splunk scale, while not disrupting the agility that is required to compete in the modern marketplace? How do you balance security at L3 and L4 with the flexibility and identity needs of L7? Join us to explore Splunk’s networking stack, starting at multi-cloud VPCs for L3, and Istio for L4 and L7. We’ll also discuss how some of the pain points in this architecture are driving the new Istio Ambient design.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

OmniBOR: Bringing the Receipts for Supply Chain Security - Frederick Kautz, SPIFFE/SPIRE

Supply Chain requirements got you down? Getting an endless array of false positives from you ‘SBOM scanners’ ? Spending more of your time proving you don’t have a ‘false positive’ from your scanners than fixing real vulnerabilities in your code? There has to be a better way. There is. Come hear from Aeva and Ed about a new way to capture the full artifact dependency graph of your software, not as a ‘scan’ after the fact, but as an output of your build tools themselves. Find out when this feature is coming to a build tool near you.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

On Establish a Production Zero Trust Architecture - Frederick Kautz, SPIFFE/SPIRE

Join Frederick Kautz in developing a sound strategy for a Zero Trust Architecture. We will start by developing a working definition of Zero Trust for inclusion in your organization's security policies, standards, and procedures. We'll then learn how to use various CNCF and other open source technologies to achieve this. The initial focus will be on cryptographic identities for workloads. We will then discuss defining controls that implement your organization's security policies. DevOps/DevSecOps organizational requirements must also be defined, including automation of the application and observability requirements to help your Security Operations Center know the health of your system and respond to threats. We will then discuss how to onboard legacy systems into your Zero Trust environment. Finally, we will have a short discussion on changing your organization's culture to adopt these technologies without bulldozing the valid concerns of your security experts or application architects.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Package Transparency for WebAssembly Registries - Kyle Brown, SingleStore

WebAssembly (Wasm) is a significant advancement in the portability and security of code, but for Wasm to be useful we need a way to publish and distribute it. This presents a unique opportunity to correspondingly advance the state of the art in supply chain security. That's why the Bytecode Alliance, a Wasm-focused non-profit, is working on developing a new registry protocol for Wasm packages, with security at the center, called warg. Warg is designed to offer "Package Transparency" by building on verifiable data structures from the field of Certificate Transparency. This means that the entire state of a registry can be validated by monitors, replicated by mirrors, and operator compromise can easily be detected. Come attend the talk to learn more about it from two Registry SIG members and implementors!

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing Diverse Supply Chains Across Interconnected Systems - Wayne Starr, Defense Unicorns & Aaron Creel, SpaceX

Working within large software systems can make it difficult to determine the full scope of software, libraries and tooling contained within a diverse set of components, often maintained across separate teams and departments. Security teams must become familiar with a wide range of packaging technologies and practices, and often manually aggregate information to make determinations on where vulnerabilities may be present and how to mitigate them. In this talk, we will share how SpaceX is solving this through a layered application of Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines. This integration has allowed them to reduce the cycle time for developers to respond to potential vulnerabilities, and allowed them to more efficiently prioritize how developers work across projects.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller - Natalie Somersall, GitHub

Self-hosted GitHub Actions runners and Kubernetes are a natural fit, but there's not a lot of guidance on how to put the two together. The leading solution is actions-runner-controller, an open-source community project which provides a controller for autoscaling, ephemeral, and version-controlled compute. It does not, unfortunately, show off how to design and deploy it securely. Natalie leverages her experience building, securing, and advising others in regulated environments to highlight key places where security can be compromised unwittingly. Natalie will overview typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the "blast radius" of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Securing User to Service Access in Kubernetes - Maya Kaczorowski & Maisem Ali, Tailscale

Kubernetes makes it easy to run and scale your microservices, and Kubernetes automatically assigns the pods running your service an IP address and a DNS name for discovery and routing. Network security concerns for Kubernetes, however, seem to focus on user access to the control plane, using a bastion; or on service-to-service communication within a cluster, using a service mesh. So how should your development team secure access to the internal services you’re running on Kubernetes — is it enough to just use Kubernetes Ingress and a web proxy? In this talk, we’ll focus on the networking and security questions you should consider when exposing Kubernetes services to your users, including authentication and authorization, load balancing, traffic filtering, and encryption. We’ll discuss different options you have for managing access to these services, using Kubernetes Ingress, Kubernetes load balancer objects, service meshes, web proxies, IPsec, and WireGuard. You’ll come away with a better understanding of how to give service access to users, and how these complement other network solutions you might already have in your cluster.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security Does Not Need to Be Fun: Ignoring OWASP to Have a Terrible Time - Dwayne McDaniel, GitGuardian

Everyone loves getting security exactly right, every time for their applications. Identifying issues and possible gaps early in the design phase makes implementing security best practices a breeze. No doubt you have been working safely, employing checklists and testing throughout the code delivery process. As hard as it might be to imagine, some teams are actively struggling with security throughout the SDLC. For folks who might not have security completely honed in, it can be overwhelming to even know how to start thinking about security for your web applications. Fortunately, there is an awesome nonprofit community of security-focused professionals who have done a lot of work making it straightforward to correctly design and implement secure apps: Open Web Application Security Project, aka OWASP! This talk will guide you through various tools OWASP makes freely available to test your application and make sure your apps stay secure.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Security as Code: A DevSecOps Approach - Xavier René-Corail, GitHub

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Finally, we share the lessons learnt from offering security advice to 6 open source projects that have joined our free office hours.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

So You Want to Run Your Own Sigstore: Recommendations for a Secure Setup - Hayden Blauzvern, Google

Sigstore, an open-source standard for signing and verifying artifacts, provides free-to-use services that provide identity-based certificates and auditable signatures through a transparency log. These services work well for FOSS, giving maintainers the tooling needed to create signed builds. However, enterprise organizations may have additional needs that are not addressed by the public instances. This could include availability requirements such as regionalization, data residency requirements, privacy concerns with a public log, or requiring policy controls for admitting entries into a log. This talk will discuss motivations for operating private Sigstore services and expectations on the operators. The talk will discuss differences in the threat modeling between public and private instances. Finally, the talk will cover the requirements for operating private instances, including operating a root trust store and the necessary security properties of a private certificate authority and transparency log.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Cloud Security’s Hidden Force: Threat Detection - Loris Degioanni, Founder and CTO, Sysdig

Threats to containers and cloud services are growing. All it takes is a vulnerable dependency, or a configuration mistake, and the entire environment is compromised. Guarding against every unknown is impossible: that’s why providing security teams with solid visibility of threats, and a path for responding to them, is so important. Threat detection is a powerful opportunity for the cloud native security community. Together, we can defend against vulnerabilities that security teams haven’t yet addressed.

In this keynote, Loris Degioanni, Founder and CTO of Sysdig, will talk about why your last line of defense is just as important as your first (and likely more so).

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Saurabh Wadhwa, Senior Solutions Engineer, Uptycs

Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.

When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.

This session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:

Why developer laptops are often an entry point for attackers—now more than ever
How to gather real-time "device integrity" or security hygiene checks for zero-trust access
How to audit for malicious Chrome extensions or vulnerable software packages
How to tie together identity and GitHub activity on the laptop with CI/CD actions

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Standardization and Security - A Perfect Match - Ravi Devineni & Vinny Carpenter, Northwestern Mutual

How often have you scrolled through Netflix and had trouble finding something to watch? Or found yourself standing, staring at a kaleidoscope of flavors of ice cream at the grocery store? Choice is a luxury. We all prefer to have more options, not less. This is why ample choices are often considered a symbol of privilege. However, there comes a point when too many choices can start to hinder our decision-making ability. Too many choices can also hinder our security posture. At Northwestern Mutual, we’ve had multiple tools (choices) - Multiple systems for Source Code, Build, artifact storage, deployment etc. Furthermore, we had various patterns of development and templates, with teams left with the choice to pick “what’s best for them.” All the evidence indicated that all this choice was causing the teams to feel overwhelmed and hence creating inefficiency and increasing our time to market, leading to a paradox of choice. A Paradox of Choice with overabundance of options could lead to anxiety, dissatisfaction and many ways to exploit systems. So we decided to tackle this. There are several technical, cultural, and organizational implications to this. Join us as we share the story of how Northwestern Mutual improved our Cloud Security posture through standardization.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Unpacking Open Source Security in Public Repos & Registries - Ben Hirschberg, ARMO

The container ecosystem has exploded in the decade since it's been introduced, with containers becoming the backbone for the way be package, deploy, orchestrate, schedule & operate our production applications. It's no surprise then, that so many public facing resources have popped up over the years, both complementary open source projects & public registries that aggregate commonly used container images. In this talk we will unveil data from first of its kind research conducted by scanning the most popular and widely adopted open source projects––from Grafana to Prometheus, Lens, Helm, ArgoCD and others to the public registries from which we pull our base images––from DockerHub, Quay, to GCR, & ECR. We will share how these public-facing resources leveraged by practically all developers stack up against common compliance frameworks - CIS, MITRE ATT&CK®, NIST, NSA-CISA, the most common misconfigs, prevalence of well-known CVEs (through a Log4J example) with a look at the stats & hard numbers, and any other red flags you need to be aware of when leveraging public resources. We will wrap up with a risk analysis and scoring of the resources, highlight the risks to pay attention to, & provide some best practices to keep your systems & ops safe in this evolving security landscape.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Verifiable GitHub Actions with eBPF - Jose Donizetti & Itay Shakury, Aqua Security

GitHub actions have been one of the most popular ways to build and release software, with recent developments in supply chain security it became a major target for malicious attacks. A couple of years ago a widespread hack to codecov, a popular service prevalent in build pipelines, caught the industry’s attention. In response, a new solution to protect the build pipeline was created on top of Tracee, OSS Runtime Security solution, and introduced the concept of profiling with eBPF and verifying software builds. In this talk we will present that solution and explore the lessons learned in the past two years since the initial release.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

What's a Zero-Trust Tunnel? Exploring Security and Simpler Operations with Istio Ambient Mesh - Jim Barton & Marino Wijay, Solo.io

One of the most common drivers for service mesh adoption is security compliance. Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. Service mesh platforms like CNCF's Istio project are growing in popularity as a vehicle for meeting these challenges. In September 2022, Google and Solo.io announced the release of Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It delivers an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. This talk will review the new sidecar-less architectural option available with Ambient. We'll discuss the two new complementary layers: a zero-trust tunnel (ztunnel) that secures Layer 4 connectivity, and a waypoint proxy that delivers Layer 7 security policies and behaviors. A demonstration will illustrate how these new components work together in practice.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Who Are You? I Really Want to Know… the Magic Behind OIDC - Eddie Zaneski, Chainguard

Open ID Connect, or OIDC, is a mechanism for identity authentication. It is built on top of OAuth 2.0 and is used to establish and verify the identity of a user or service. OIDC is used throughout the Cloud Native world for workload identity federation. This allows your CI pipeline to obtain an API token for your cloud provider without the need to provision long-lived secrets. In this talk, you will learn the ins and outs of how OIDC works. You'll understand the spec and how you can use machine identities to secure your workloads. You'll also see examples of what's possible with OIDC from open source projects like Kubernetes, SPIFFE/SPIRE, and Sigstore.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Yes, Application Security Leads to Better Business Value. Learn How from Experts. - Larry Carvalho, RobustCloud; Hillary Benson, Gitlab; Kirsten Newcomer, Red Hat; David Zendzian, VMware

Cloud native technologies give organizations a much better toolset to gain the agility to meet business challenges. According to a CNCF survey, security is one of the top three challenges in migrating to cloud native architectures. Inadequate confidence in security leads to fewer innovative solutions. DevSecOps and Shift Left are security practices that ensure vulnerabilities are found much earlier in a development process, improving confidence to deploy cloud native applications. Larry Carvalho, Principal Consultant at RobustCloud, will moderate this session. Hillary Benson, from Gitlab, will highlight how cloud native technologies, paired with the right strategy and toolset, present an outsized opportunity to reduce unnecessary security risk drastically. Kirsten Newcomer, from Red Hat, will share how to holistically secure your platform and application and enable teams to build secure pipelines with security controls as close to the developer as they wish. David Zendzian, from VMware, will discuss how shifting left security outcomes can only partially translate into building new skills for the developer community. In this session, you will hear examples of companies using application security practices to reduce the risk of non-compliance and deliver innovative solutions.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Zero Trust Workload Identity in Kubernetes - Michael Peters, Red Hat

Zero Trust principles proscribe that no interactions between services are to be done with any implicit trust. Most current solutions to explicit authorization involve passwords or secret keys, but it's almost impossible to count the number of security breaches that happen because service passwords or keys are improperly stored, not rotated frequently enough or exposed during rollouts. Every new service added has the potential to exponentially complicate how we secure and deploy those secrets. But what if there was a simpler solution? What if we didn't need those secrets at all? What if the authorization was tied to the workload's identity itself? This is the goal of SIFFE (the spec) and Spire (the implementation). In this talk we'll show how to implement a Zero Trust system that uses workload identity across a service mesh in Kubernetes to provide explicit authorization between services. We'll explore centralized policy enforcement between those services as well as integrations with up and coming projects like Keylime (for identity tied to hardware attestation) and Sigstore (for identity during software builds).