2023-02-01 ~ 2023-02-02

Presentations (with video): 87 (67)

CloudNativeSecurityCon is a two-day event designed to foster collaboration, discussion and knowledge sharing of cloud native security projects and how to best use these to address security challenges and opportunities. The goal is not just to propose solutions that incrementally improve what has come before, but to give room to breakthrough technology and advances in modern security approaches. Topics of sessions and lightning talks presented by expert practitioners include architecture and policy, secure software development, supply chain security, identity and access, forensics, and more.

Sort by:  

Authors: Saurabh Wadhwa

tldr - powered by Generative AI

The presentation discusses the importance of securing developer laptops in order to secure the entire CI/CD pipeline. It highlights the vulnerabilities and security gaps in the traditional pipeline and emphasizes the need for correlating data across the pipeline. The presentation also provides solutions for securing developer laptops and enabling developers through good security practices.
  • The traditional CI/CD pipeline has data silos and security gaps that create vulnerabilities for attackers to exploit.
  • Correlating data across the pipeline is crucial for securing the entire pipeline.
  • Developer laptops are a high-value asset and often an entry point for attackers.
  • Auditing for vulnerable software packages and malicious Chrome extensions, dynamic trust scores for zero-trust access, and detecting and protecting against malicious behavior are some of the solutions for securing developer laptops.
  • Good security practices can enable developers to work from untrusted or lightly secured home networks around the world.
  • Security should enable development teams and break down roadblocks.
Authors: Fei Huang

tldr - powered by Generative AI

Kubernetes is an ideal platform for enforcing zero trust security in cloud native deployments.
  • Zero trust security is critical for securing Kubernetes environments.
  • Kubernetes allows for proactive security measures through the use of security manifests and policies.
  • Multi-cluster federation and security management are necessary for managing and scaling security in complex cloud environments.
  • Zero trust runtime protection with security automation is necessary for mission-critical applications.
  • Compliance requirements can be met through the use of layer 7 container follow with buff and DRP enabled.
Authors: Brandon Mitchell

tldr - powered by Generative AI

The presentation discusses the challenges faced in modifying immutable container images and the solutions that were proposed and implemented.
  • The challenge was to modify immutable container images to include additional data such as S-bombs and signatures
  • Multiple solutions were proposed including creating a new artifact manifest, extending an existing manifest, and using a hierarchical pointing system
  • The immutability of container images is achieved through a Merkle tree structure and content addressability
  • Multi-platform images have their own manifest of manifests with platform-specific descriptors
  • The presentation emphasizes the importance of efficiency and avoiding unnecessary API calls
Authors: Priyanka Sharma

Authors: Loris Degioanni

Threats to containers and cloud services are growing. All it takes is a vulnerable dependency, or a configuration mistake, and the entire environment is compromised. Guarding against every unknown is impossible: that’s why providing security teams with solid visibility of threats, and a path for responding to them, is so important. Threat detection is a powerful opportunity for the cloud native security community. Together, we can defend against vulnerabilities that security teams haven’t yet addressed.In this keynote, Loris Degioanni, Founder and CTO of Sysdig, will talk about why your last line of defense is just as important as your first (and likely more so).
Authors: Liz Rice

tldr - powered by Generative AI

The power of using visualizations to solve security problems with eBPF
  • eBPF is a platform for building network observability and security tooling
  • Visualizations can help us answer security-relevant questions more easily than wading through logs
  • Psyllium's Hubble component generates network flow logs that are collected by eBPF programs and can be visualized to understand network traffic
  • Prometheus metrics generated by Hubble can be used to understand network policy verdicts
  • eBPF tools can generate rich contextualized events in the form of logs and metrics that can be visualized to solve real security problems
Authors: Natalie Fisher

tldr - powered by Generative AI

The presentation discusses the importance of cryptography in cybersecurity and the need for a crypto agile framework to manage it efficiently. It also highlights the challenges in implementing new cryptography and the need for involvement from all stakeholders.
  • Cryptography is essential in securing online transactions and IoT devices
  • The implementation of cryptography needs to be managed efficiently through a crypto agile framework
  • All stakeholders, including developers, IT infrastructure teams, and infosec teams, need to be involved in the process
  • The future landscape of cryptography will be independent of the app lifecycle, making it easier to manage and transition to new algorithms and standards
  • Implementation flaws and the threat of quantum computing make it crucial to be cryptographically agile
Authors: Ramaswamy Chandramouli, Zack Butcher

Zero Trust is all about replacing implicit trust based on the network -- traditional perimeter security and an "access is authorization" model -- with explicit trust based on identity and runtime authorization. This means applications must authenticate and authorize service communicate in addition to end users. This gives rise to patterns like identity aware proxies and the service mesh for enforcing access. We'll discuss a quick-and-easy definition for a what a "zero trust architecture" is and discuss how a common use case -- application communication from cloud to prem through a DMZ -- can be simplified with identity aware proxies (and policy!), leading to organizational agility.
Authors: Mitch Connors, Bernard Van De Walle

What does it take to securely connect dozens of clusters across multiple cloud providers at Splunk scale, while not disrupting the agility that is required to compete in the modern marketplace? How do you balance security at L3 and L4 with the flexibility and identity needs of L7? Join us to explore Splunk’s networking stack, starting at multi-cloud VPCs for L3, and Istio for L4 and L7. We’ll also discuss how some of the pain points in this architecture are driving the new Istio Ambient design.
Authors: Ravi Devineni, Vinny Carpenter

How often have you scrolled through Netflix and had trouble finding something to watch? Or found yourself standing, staring at a kaleidoscope of flavors of ice cream at the grocery store? Choice is a luxury. We all prefer to have more options, not less. This is why ample choices are often considered a symbol of privilege. However, there comes a point when too many choices can start to hinder our decision-making ability. Too many choices can also hinder our security posture. At Northwestern Mutual, we’ve had multiple tools (choices) - Multiple systems for Source Code, Build, artifact storage, deployment etc. Furthermore, we had various patterns of development and templates, with teams left with the choice to pick “what’s best for them.” All the evidence indicated that all this choice was causing the teams to feel overwhelmed and hence creating inefficiency and increasing our time to market, leading to a paradox of choice. A Paradox of Choice with overabundance of options could lead to anxiety, dissatisfaction and many ways to exploit systems. So we decided to tackle this. There are several technical, cultural, and organizational implications to this. Join us as we share the story of how Northwestern Mutual improved our Cloud Security posture through standardization.