Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Ziv Nevo

2022-10-28

Engineers can’t really prevent hackers form eventually breaching Apps. It is not a question of IF but of WHEN. And unfortunately, a question of how much damage was done to our or our users’ resources, data and reputation. This does not happen only to small Apps and companies with small budgets and limited resources but to huge companies and government agencies (see SolarWinds attack). The solution - automatically isolating attackers when they breach one of the Apps in your cluster (or the App you develop), keeping the rest of the cluster’s components safe. This session will present a survey encompassing many commonly used cloud native apps, engineers all love and need (like Prometheus, Kafka, Jenkins, ClearML and much more) and demonstrate the built-in vulnerability most cluster deployments exercise and how to secure it. State of the art practices leave several, rather easily breached, back doors in many clusters. We will deep dive into several real-world scenarios and see the simple, yet very often missed, blueprint for making our cluster or our App-users’ clusters much more malicious-resistant.

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Alexander Jung

2021-10-14

KubeKraft is a novel runtime that allows for running VMs with Kubernetes natively, without any container overhead. It aims to achieve higher cluster utilization while maintaining performance and security.

• Virtualization strategies such as containers have gained immense popularity thanks to orchestration frameworks such as Kubernetes.
• Typical deployments with Kubernetes involve four degrees of virtualization and indirection, which can be difficult to debug and add performance penalties.
• KubeKraft introduces unikernels into the ecosystem and allows for running VMs with Kubernetes natively, without any container overhead.
• KubeKraft's architecture is presented, along with its integration with Kubernetes and performance results.
• Using a Unikraft NGINX unikernel, KubeKraft results in 2x the throughput of an official Docker NGINX image.

Conference:  OWASP 20th Anniversary Event

Authors: Jasvir Nagra, Pedro Fortuna

2021-09-24

The presentation discusses the need for a holistic approach to client-side web isolation to improve web application security.

• Current browser-based security features lack full isolation for browser-based apps
• A holistic approach to client-side web isolation is needed to cover all angles of web application security
• Reducing the size of the compartment, making the units stronger, and more developer-friendly is key to achieving this
• Web Page Integrity is a sandboxing solution that can be seamlessly integrated into any web app