Conference:  Cloud Native SecurityCon North America 2022

Authors: Dov Hershkovitch

2022-10-25

DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Eli Nesterov

2022-10-25

The presentation discusses the keys to a successful SPIRE rollout in production, based on learnings from multiple successful production deployments and commonly asked questions in SPIFFE/SPIRE Slack channels.

• Understand trust boundaries and how they map into SPIFFE trust domains
• Consider how this mapping affects your PKI and where to store keys
• Federation between independent SPIFFE systems can affect performance and bundle size
• Investment into building your own system depends on how much you trust it
• Consider architecture patterns, deployment models, logging, monitoring, security, availability, and performance topics when moving from proof of concept to production