Cloud Native Security Landscape: Myths, Dragons, and Real Talk - Edd Wilder

The importance of providing a common view of security metadata to improve collaboration between developers and security teams

• The industry is beginning to produce more security metadata about their software due to the executive order on s-bombs
• Guac is a product that aggregates security metadata and turns it into information
• Different audiences can share a common view of security metadata customized to their needs
• Developers need to be won over by providing easy and default security solutions
• Education, gamification, and seamless tooling are ways to incentivize developers to prioritize security

There is a constant tension between security teams and developer teams, with security teams wanting to do things a certain way and developers pushing back. The key is to provide developers with the tools they need to do their jobs and make security solutions easy and default. One way to incentivize developers is through gamification, such as the Big Fix event where developers compete to fix open source vulnerabilities for prizes.

The open source security landscape is moving fast, and affects you at all parts of the software lifecycle, from creating open source, to consuming it, to remedying vulnerabilities and detecting threats at runtime. The sheer number of moving parts represents great progress, but challenging when it comes to knowing what to prioritize. Do you like GUAC with your SLSA? Are you equipped to handle the latest OSS vulnerabilities? This panel will discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include * From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about? * It's about the people, naturally: we're being told to "shift left" security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works? * What is real, what is myth? The field is full of hot takes, from grand ideas that won't take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?