logo

Cloud Native Security for the Rest of Us

2022-10-24

Authors:   Tiffany Jernigan


Summary

The presentation discusses the importance of security in DevOps and Kubernetes and provides tips on how to ensure secure software development and deployment.
  • Source code analysis tools such as OASP can help analyze source code and compiled versions of code to find security flaws
  • Validating the source of code, build system, and artifact pushers can ensure trusted software development and deployment
  • Vulnerability scanning with tools like Claire and Trivi can help identify known CVEs
  • Immutable dependencies and ephemeral builds can mitigate attacks on code dependencies and build infrastructures
  • Observability through metrics and logging can help audit user and privilege changes and security events
  • Source code analysis tools such as OASP can help analyze source code and compiled versions of code to find security flaws
The speaker mentions the SolarWinds attack where malicious code was injected into code produced by the build server, highlighting the importance of ephemeral builds and not having a dedicated machine that can be hacked into.

Abstract

Your mission is to secure the vast tracts of land of the Cloud Native security landscape. Where do you even start?!? It would be preposterous to cover that whole topic in a single session, but we can at least map it out. The plan is to break it down into three key areas and review each in turn. * Platform - securing and upgrading our control planes and nodes; isolating compute, storage, and network resources; managing privileges and secrets. * User management and permissions - various ways to authenticate and authorize user access; leveraging tools like RBAC and Namespaces, and some common "gotchas". * Software supply chain - what that means; some actual threat models are; how to mitigate them. You will leave this session with a stronger understanding of the breadth and depth of Cloud Native security and resources to further develop your knowledge.

Materials: