2023-02-01 ~ 2023-02-02

Presentations (with video): 87 (67)

CloudNativeSecurityCon is a two-day event designed to foster collaboration, discussion and knowledge sharing of cloud native security projects and how to best use these to address security challenges and opportunities. The goal is not just to propose solutions that incrementally improve what has come before, but to give room to breakthrough technology and advances in modern security approaches. Topics of sessions and lightning talks presented by expert practitioners include architecture and policy, secure software development, supply chain security, identity and access, forensics, and more.

Sort by:  

Authors: Jim Barton, Marino Wijay

One of the most common drivers for service mesh adoption is security compliance. Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. Service mesh platforms like CNCF's Istio project are growing in popularity as a vehicle for meeting these challenges. In September 2022, Google and Solo.io announced the release of Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It delivers an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. This talk will review the new sidecar-less architectural option available with Ambient. We'll discuss the two new complementary layers: a zero-trust tunnel (ztunnel) that secures Layer 4 connectivity, and a waypoint proxy that delivers Layer 7 security policies and behaviors. A demonstration will illustrate how these new components work together in practice.
Authors: Mor Weinberger

Ever since cryptomining had emerged as a novel promising digital currency technology, its evil twin cryptojacking has gained popularity and become a major type of attack. Threat actors consider this attack as a low hanging fruit which allows them to easily cash out their attack, since one can easily convert compute power into digital coins. Moreover, defenders often mistakenly perceive this attack as a noisiness rather than an attack that allows to freely run remote code on your server. At first threat actors deployed cryptominers on unpatched servers and targeted browsers. Today attackers focus on the cloud native, including exploiting containers, Kubernetes, CI/CD and SCM platforms. In this Talk, we’ll explore the key concepts and techniques related to the evolvement of cryptomining and also explain on how to proactively protect your environment with open-source tools and approaches that will help you strengthen your security starting from static analysis and up to runtime protection. Below are some of the topics we shell include:Reviewing of attacks, techniques & exploits. The main challenges threat actors face and overcome, how they maximize their gain and conceal their attacks Finally, we will present measures to mitigate and strengthen your environments
Authors: Liz Rice

Authors: Kevin Hoffman

Securing code running in the cloud has been a difficult problem to solve since before we called it "the cloud". With the advent of WebAssembly, we can leverage the intrinsic security and sandbox isolation offered by WebAssembly modules. Then we can layer on top cryptographic signatures and the verifiable capability model from wasmCloud to deploy secure, untrusted code and have total confidence in the security of applications built this way. In this session, we'll take a look at how WebAssembly itself adds multiple levels of security to traditional cloud computing with containers and microservices. Then we'll cover demonstrations of multiple levels of security enabled by wasmCloud.
Authors: Nick Young

The Kubernetes security model is very reliant on namespacing for enclosing trust boundaries. But what happens when an resource or set of resources need to cross those trust boundaries? How can we be confident that both parties in cross-namespace communications agree to the relationship between objects? In the SIG-Network Gateway API subproject, we've found that this is a little tricky. The answer is that both parties have to agree. The owner of the resources in the target namespace has to agree to someone outside their control accessing their stuff, and the resource that wants to refer to that stuff has to explicitly ask. Come and learn about the solution the Gateway API subproject of SIG-Network has put in place, the ReferenceGrant resource, how it works, and how it can be used to ensure that a cross-namespace reference is agreed to by both parties. We've also used variants of the same approach in other parts of the Gateway API, and this talk will explain those as well. You will come away with some knowledge both of the ReferenceGrant resource, the history behind it, and how it fits into the Gateway API.
Authors: Evan Anderson

Kubernetes is famously a “platform for building platforms”. In this talk, we will un-pack the primitives Kubernetes provides for enabling microservices to securely communicate with each other without relying on a service mesh. Together, we’ll explore how technologies like NetworkPolicy, token projection, API gateways, cert-manager, and language runtimes play poorly or nicely together. We’ll cover authentication options, encryption, rate limiting, multi-tenant infrastructur eservices, and the interplay between L4 and L7 features with an eye on compliance as well developer ease of use. Drawing on his experience as Knative Security Working Group lead and background solving application runtime challenges on Kubernetes, Evan will teach participants about how to build without a service mesh, as well as a deeper understanding of the value that service meshes provide.
Authors: Arun M. Krishnakumar

Suppose there is a sysadmin who owns a few dozen Kubernetes Clusters. They have access to the VMs of the cluster. They also naturally have access to the admin KUBECONFIG files to each of the clusters. Suppose they quit and make a copy of these KUBECONFIG files. If the api-server of any of the clusters is accessible, there is a serious problem. Suppose there is a non-admin KUBECONFIG user and suppose they quit or change teams. We have a similar requirement of removing access to the cluster for that user as well. These are real world problems that are faced by customers who want us to provide guidance and best practices in this matter. Ideally we would like to revoke access to these users with minimal interruption to the cluster. In this talk we will discuss the problem of revoking access to clusters in general at both the admin level, and at the user level. This will include removal of access to resources of interest and the parts of the certificate chain-of-trust that need to be changed. We will discuss how our customers can make use of these schemes and cleanly remove users from the cluster. We will also discuss pre-requisites for setting up a cluster that is amenable to the solution, general gaps in our current implementation and in the general Kubernetes ecosystem as well.
Authors: Shane Lawrence

tldr - powered by Generative AI

Lessons learned from a critical OpenSSL vulnerability and how to prepare for and respond to supply chain threats
  • In October, OpenSSL team found a critical vulnerability in an open source library used by millions
  • The panic and distraction caused by the vulnerability arguably cost more than an exploit could have
  • Suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats
  • Lessons learned from the experience of dealing with a critical vulnerability
Authors: Wayne Starr, Aaron Creel

tldr - powered by Generative AI

SpaceX is using Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines to secure diverse supply chains across interconnected systems.
  • SpaceX is launching a rocket a week and putting thousands of satellites into space, which requires a secure software development process
  • The government process is slow and manual, so SpaceX is bridging the gap by implementing an automated process
  • SpaceX is using Syft, Grype, and OWASP Dependency Check as SBOM and vulnerability discovery tools to reduce the cycle time for developers to respond to potential vulnerabilities
  • The integration of these tools has allowed SpaceX to more efficiently prioritize how developers work across projects
Authors: Brandon Mitchell

tldr - powered by Generative AI

The presentation discusses the challenges faced in modifying immutable container images and the solutions that were proposed and implemented.
  • The challenge was to modify immutable container images to include additional data such as S-bombs and signatures
  • Multiple solutions were proposed including creating a new artifact manifest, extending an existing manifest, and using a hierarchical pointing system
  • The immutability of container images is achieved through a Merkle tree structure and content addressability
  • Multi-platform images have their own manifest of manifests with platform-specific descriptors
  • The presentation emphasizes the importance of efficiency and avoiding unnecessary API calls